mirror of
https://github.com/luzifer-docker/openldap.git
synced 2024-12-20 12:41:17 +00:00
Adding ppolicy
This commit is contained in:
parent
88fbcb52dd
commit
88614bd176
3 changed files with 93 additions and 56 deletions
126
README.md
126
README.md
|
@ -1,8 +1,7 @@
|
|||
docker-openldap
|
||||
===============
|
||||
# docker-openldap
|
||||
> A Docker image running OpenLDAP.
|
||||
|
||||
A Docker image running OpenLDAP on Debian stable ("jessie" at the moment). The
|
||||
Dockerfile is inspired by
|
||||
The image is based on Debian stable ("jessie" at the moment). The Dockerfile is inspired by
|
||||
[cnry/openldap](https://registry.hub.docker.com/u/cnry/openldap/), but as said
|
||||
before, running a stable Debian and be a little less verbose, but more complete
|
||||
in the configuration.
|
||||
|
@ -11,8 +10,7 @@ NOTE: On purpose, there is no secured channel (TLS/SSL), because I believe that
|
|||
this service should never be exposed to the internet, but only be used directly
|
||||
by other Docker containers using the `--link` option.
|
||||
|
||||
Usage
|
||||
-----
|
||||
## Usage
|
||||
|
||||
The most simple form would be to start the application like so (however this is
|
||||
not the recommended way - see below):
|
||||
|
@ -31,67 +29,87 @@ An application talking to OpenLDAP should then `--link` the container:
|
|||
The name after the colon in the `--link` section is the hostname where the
|
||||
OpenLDAP daemon is listening to (the port is the default port `389`).
|
||||
|
||||
Configuration (environment variables)
|
||||
-------------------------------------
|
||||
## Configuration (environment variables)
|
||||
|
||||
For the first run, one has to set at least two environment variables. The first
|
||||
For the first run, one has to set at least two environment variables. After the
|
||||
first start of the image (and the initial configuration), these
|
||||
envirnonment variables are not evaluated.
|
||||
|
||||
SLAPD_PASSWORD
|
||||
|
||||
sets the password for the `admin` user.
|
||||
|
||||
The second
|
||||
|
||||
SLAPD_DOMAIN
|
||||
|
||||
sets the DC (Domain component) parts. E.g. if one sets it to `ldap.example.org`,
|
||||
the generated base DC parts would be `...,dc=ldap,dc=example,dc=org`.
|
||||
|
||||
There is an optinal third variable
|
||||
|
||||
SLAPD_ORGANIZATION (defaults to $SLAPD_DOMAIN)
|
||||
|
||||
that represents the human readable company name (e.g. `Example Inc.`).
|
||||
|
||||
The fourth (somewhat) optional variable
|
||||
|
||||
SLAPD_CONFIG_PASSWORD
|
||||
|
||||
allows password protected access to the `dn=config` branch. This helps to
|
||||
reconfigure the server without interruption (read the
|
||||
* `SLAPD_PASSWORD` (required) - sets the password for the `admin` user.
|
||||
* `SLAPD_DOMAIN` (required) - sets the DC (Domain component) parts. E.g. if one sets
|
||||
it to `ldap.example.org`, the generated base DC parts would be `...,dc=ldap,dc=example,dc=org`.
|
||||
* `SLAPD_ORGANIZATION` (defaults to $SLAPD_DOMAIN) - represents the human readable
|
||||
company name (e.g. `Example Inc.`).
|
||||
* `SLAPD_CONFIG_PASSWORD` - allows password protected access to the `dn=config`
|
||||
branch. This helps to reconfigure the server without interruption (read the
|
||||
[official documentation](http://www.openldap.org/doc/admin24/guide.html#Configuring%20slapd)).
|
||||
* `SLAPD_ADDITIONAL_SCHEMAS` - loads additional schemas provided in the `slapd`
|
||||
package that are not installed using the environment variable with comma-separated
|
||||
enties. As of writing these instructions, there are the following additional schemas
|
||||
available: `collective`, `corba`, `duaconf`, `dyngroup`, `java`, `misc`, `openldap`,
|
||||
`pmi` and `ppolicy`.
|
||||
* `SLAPD_ADDITIONAL_MODULES` - comma-separated list of modules to load. It will try
|
||||
to run `.ldif` files with a corresponsing name from the `module` directory.
|
||||
Currently only `memberof` and `ppolicy` are avaliable.
|
||||
* `SLAPD_FORCE_RECONFIGURE` - (defaults to false) Used if one needs to reconfigure
|
||||
the `slapd` service after the image has been initialized. Set this value to `true`
|
||||
to reconfigure he image.
|
||||
* `SLAPD_PPOLICY_DN_PREFIX` - (defaults to `cn=default,ou=policies`) sets the dn
|
||||
prefix used in `modules/ppolicy.ldif` for the `olcPPolicyDefault` attribute. The
|
||||
value used for `olcPPolicyDefault` is derived from `$SLAPD_PPOLICY_DN_PREFIX,(dc
|
||||
component parts from $SLAPD_DOMAIN)`. This variable is only useful when `ppolicy`
|
||||
is listed as a module with `SLAPD_ADDITIONAL_MODULES`.
|
||||
|
||||
One can load additional schemas provided in the `slapd` package that are not
|
||||
installed using the
|
||||
### Setting up ppolicy
|
||||
|
||||
SLAPD_ADDITIONAL_SCHEMAS
|
||||
If you're running the image with the following variables:
|
||||
|
||||
environment variable with comma-separated enties. As of writing these
|
||||
instructions, there are the following additional schemas available:
|
||||
`collective`, `corba`, `duaconf`, `dyngroup`, `java`, `misc`, `openldap`, `pmi`
|
||||
and `ppolicy`.
|
||||
```
|
||||
-e SLAPD_DOMAIN=mycompany.com -e SLAPD_ADDITIONAL_MODULES=ppolicy`
|
||||
```
|
||||
|
||||
At least one quite common module is neither loaded nor configured by default (I
|
||||
am talking about the `memberof` overlay). In order to activate this (and
|
||||
possibly other modules in the future), there is another environment variable
|
||||
called
|
||||
You'll need to execute the following command:
|
||||
|
||||
SLAPD_ADDITIONAL_MODULES
|
||||
```
|
||||
ldapadd -h localhost -x -c -D 'cn=admin,dc=mycompany,dc=com' -w adminSecret -f mypolicy.ldif
|
||||
```
|
||||
|
||||
which can hold comma-separated enties. It will try to run `.ldif` files with
|
||||
a corresponsing name from the `module` directory. Currently only `memberof` is
|
||||
avaliable.
|
||||
The contents of `mypolicy.ldif` should look something like this:
|
||||
|
||||
After the first start of the image (and the initial configuration), these
|
||||
envirnonment variables are not evaluated anymore. If one needs to reconfigure
|
||||
the `slapd` service, it is possible to set
|
||||
```
|
||||
# Define password policy
|
||||
dn: ou=policies,dc=mycompany,dc=com
|
||||
objectClass: organizationalUnit
|
||||
ou: policies
|
||||
|
||||
SLAPD_FORCE_RECONFIGURE (defaults to false)
|
||||
dn: cn=default,ou=policies,dc=mycompany,dc=com
|
||||
objectClass: applicationProcess
|
||||
objectClass: pwdPolicy
|
||||
cn: default
|
||||
pwdAllowUserChange: TRUE
|
||||
pwdAttribute: userPassword
|
||||
pwdCheckQuality: 1
|
||||
# 7 days
|
||||
pwdExpireWarning: 604800
|
||||
pwdFailureCountInterval: 0
|
||||
pwdGraceAuthNLimit: 0
|
||||
pwdInHistory: 5
|
||||
pwdLockout: TRUE
|
||||
# 30 minutes
|
||||
pwdLockoutDuration: 1800
|
||||
# 180 days
|
||||
pwdMaxAge: 15552000
|
||||
pwdMaxFailure: 5
|
||||
pwdMinAge: 0
|
||||
pwdMinLength: 6
|
||||
pwdMustChange: TRUE
|
||||
pwdSafeModify: FALSE
|
||||
```
|
||||
|
||||
to `true`.
|
||||
See the [docs](http://www.zytrax.com/books/ldap/ch6/ppolicy.html) for descriptions
|
||||
on the available attributes and what they mean.
|
||||
|
||||
Data persistence
|
||||
----------------
|
||||
## Data persistence
|
||||
|
||||
The image exposes two directories (`VOLUME ["/etc/ldap", "/var/lib/ldap"]`).
|
||||
The first holds the "static" configuration while the second holds the actual
|
||||
|
|
|
@ -25,8 +25,8 @@ if [[ ! -d /etc/ldap/slapd.d || "$SLAPD_FORCE_RECONFIGURE" == "true" ]]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
SLAPD_PPOLICY_DN_PREFIX="${SLAPD_PPOLICY_DN_PREFIX:-cn=default,ou=policies}"
|
||||
SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}"
|
||||
|
||||
cp -a /etc/ldap.dist/* /etc/ldap
|
||||
|
||||
cat <<-EOF | debconf-set-selections
|
||||
|
@ -78,7 +78,13 @@ EOF
|
|||
IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES)
|
||||
|
||||
for module in "${modules[@]}"; do
|
||||
slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
|
||||
moduleFile="/etc/ldap/modules/${module}.ldif"
|
||||
|
||||
if [ "$module" == 'ppolicy' ]; then
|
||||
sed -i'' "s|\(olcPPolicyDefault: \)PPOLICY_DN|\1${SLAPD_PPOLICY_DN_PREFIX}$dc_string|" $moduleFile
|
||||
fi
|
||||
|
||||
slapadd -n0 -F /etc/ldap/slapd.d -l "$moduleFile" >/dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
|
||||
|
|
13
modules/ppolicy.ldif
Normal file
13
modules/ppolicy.ldif
Normal file
|
@ -0,0 +1,13 @@
|
|||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModuleLoad: ppolicy.la
|
||||
|
||||
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcPPolicyConfig
|
||||
olcOverlay: ppolicy
|
||||
olcPPolicyDefault: PPOLICY_DN
|
||||
olcPPolicyHashCleartext: FALSE
|
||||
olcPPolicyForwardUpdates: FALSE
|
||||
olcPPolicyUseLockout: FALSE
|
Loading…
Reference in a new issue