mirror of
https://github.com/luzifer-docker/openldap.git
synced 2024-12-30 01:11:18 +00:00
Adding ppolicy
This commit is contained in:
parent
88fbcb52dd
commit
88614bd176
3 changed files with 93 additions and 56 deletions
126
README.md
126
README.md
|
@ -1,8 +1,7 @@
|
||||||
docker-openldap
|
# docker-openldap
|
||||||
===============
|
> A Docker image running OpenLDAP.
|
||||||
|
|
||||||
A Docker image running OpenLDAP on Debian stable ("jessie" at the moment). The
|
The image is based on Debian stable ("jessie" at the moment). The Dockerfile is inspired by
|
||||||
Dockerfile is inspired by
|
|
||||||
[cnry/openldap](https://registry.hub.docker.com/u/cnry/openldap/), but as said
|
[cnry/openldap](https://registry.hub.docker.com/u/cnry/openldap/), but as said
|
||||||
before, running a stable Debian and be a little less verbose, but more complete
|
before, running a stable Debian and be a little less verbose, but more complete
|
||||||
in the configuration.
|
in the configuration.
|
||||||
|
@ -11,8 +10,7 @@ NOTE: On purpose, there is no secured channel (TLS/SSL), because I believe that
|
||||||
this service should never be exposed to the internet, but only be used directly
|
this service should never be exposed to the internet, but only be used directly
|
||||||
by other Docker containers using the `--link` option.
|
by other Docker containers using the `--link` option.
|
||||||
|
|
||||||
Usage
|
## Usage
|
||||||
-----
|
|
||||||
|
|
||||||
The most simple form would be to start the application like so (however this is
|
The most simple form would be to start the application like so (however this is
|
||||||
not the recommended way - see below):
|
not the recommended way - see below):
|
||||||
|
@ -31,67 +29,87 @@ An application talking to OpenLDAP should then `--link` the container:
|
||||||
The name after the colon in the `--link` section is the hostname where the
|
The name after the colon in the `--link` section is the hostname where the
|
||||||
OpenLDAP daemon is listening to (the port is the default port `389`).
|
OpenLDAP daemon is listening to (the port is the default port `389`).
|
||||||
|
|
||||||
Configuration (environment variables)
|
## Configuration (environment variables)
|
||||||
-------------------------------------
|
|
||||||
|
|
||||||
For the first run, one has to set at least two environment variables. The first
|
For the first run, one has to set at least two environment variables. After the
|
||||||
|
first start of the image (and the initial configuration), these
|
||||||
|
envirnonment variables are not evaluated.
|
||||||
|
|
||||||
SLAPD_PASSWORD
|
* `SLAPD_PASSWORD` (required) - sets the password for the `admin` user.
|
||||||
|
* `SLAPD_DOMAIN` (required) - sets the DC (Domain component) parts. E.g. if one sets
|
||||||
sets the password for the `admin` user.
|
it to `ldap.example.org`, the generated base DC parts would be `...,dc=ldap,dc=example,dc=org`.
|
||||||
|
* `SLAPD_ORGANIZATION` (defaults to $SLAPD_DOMAIN) - represents the human readable
|
||||||
The second
|
company name (e.g. `Example Inc.`).
|
||||||
|
* `SLAPD_CONFIG_PASSWORD` - allows password protected access to the `dn=config`
|
||||||
SLAPD_DOMAIN
|
branch. This helps to reconfigure the server without interruption (read the
|
||||||
|
|
||||||
sets the DC (Domain component) parts. E.g. if one sets it to `ldap.example.org`,
|
|
||||||
the generated base DC parts would be `...,dc=ldap,dc=example,dc=org`.
|
|
||||||
|
|
||||||
There is an optinal third variable
|
|
||||||
|
|
||||||
SLAPD_ORGANIZATION (defaults to $SLAPD_DOMAIN)
|
|
||||||
|
|
||||||
that represents the human readable company name (e.g. `Example Inc.`).
|
|
||||||
|
|
||||||
The fourth (somewhat) optional variable
|
|
||||||
|
|
||||||
SLAPD_CONFIG_PASSWORD
|
|
||||||
|
|
||||||
allows password protected access to the `dn=config` branch. This helps to
|
|
||||||
reconfigure the server without interruption (read the
|
|
||||||
[official documentation](http://www.openldap.org/doc/admin24/guide.html#Configuring%20slapd)).
|
[official documentation](http://www.openldap.org/doc/admin24/guide.html#Configuring%20slapd)).
|
||||||
|
* `SLAPD_ADDITIONAL_SCHEMAS` - loads additional schemas provided in the `slapd`
|
||||||
|
package that are not installed using the environment variable with comma-separated
|
||||||
|
enties. As of writing these instructions, there are the following additional schemas
|
||||||
|
available: `collective`, `corba`, `duaconf`, `dyngroup`, `java`, `misc`, `openldap`,
|
||||||
|
`pmi` and `ppolicy`.
|
||||||
|
* `SLAPD_ADDITIONAL_MODULES` - comma-separated list of modules to load. It will try
|
||||||
|
to run `.ldif` files with a corresponsing name from the `module` directory.
|
||||||
|
Currently only `memberof` and `ppolicy` are avaliable.
|
||||||
|
* `SLAPD_FORCE_RECONFIGURE` - (defaults to false) Used if one needs to reconfigure
|
||||||
|
the `slapd` service after the image has been initialized. Set this value to `true`
|
||||||
|
to reconfigure he image.
|
||||||
|
* `SLAPD_PPOLICY_DN_PREFIX` - (defaults to `cn=default,ou=policies`) sets the dn
|
||||||
|
prefix used in `modules/ppolicy.ldif` for the `olcPPolicyDefault` attribute. The
|
||||||
|
value used for `olcPPolicyDefault` is derived from `$SLAPD_PPOLICY_DN_PREFIX,(dc
|
||||||
|
component parts from $SLAPD_DOMAIN)`. This variable is only useful when `ppolicy`
|
||||||
|
is listed as a module with `SLAPD_ADDITIONAL_MODULES`.
|
||||||
|
|
||||||
One can load additional schemas provided in the `slapd` package that are not
|
### Setting up ppolicy
|
||||||
installed using the
|
|
||||||
|
|
||||||
SLAPD_ADDITIONAL_SCHEMAS
|
If you're running the image with the following variables:
|
||||||
|
|
||||||
environment variable with comma-separated enties. As of writing these
|
```
|
||||||
instructions, there are the following additional schemas available:
|
-e SLAPD_DOMAIN=mycompany.com -e SLAPD_ADDITIONAL_MODULES=ppolicy`
|
||||||
`collective`, `corba`, `duaconf`, `dyngroup`, `java`, `misc`, `openldap`, `pmi`
|
```
|
||||||
and `ppolicy`.
|
|
||||||
|
|
||||||
At least one quite common module is neither loaded nor configured by default (I
|
You'll need to execute the following command:
|
||||||
am talking about the `memberof` overlay). In order to activate this (and
|
|
||||||
possibly other modules in the future), there is another environment variable
|
|
||||||
called
|
|
||||||
|
|
||||||
SLAPD_ADDITIONAL_MODULES
|
```
|
||||||
|
ldapadd -h localhost -x -c -D 'cn=admin,dc=mycompany,dc=com' -w adminSecret -f mypolicy.ldif
|
||||||
|
```
|
||||||
|
|
||||||
which can hold comma-separated enties. It will try to run `.ldif` files with
|
The contents of `mypolicy.ldif` should look something like this:
|
||||||
a corresponsing name from the `module` directory. Currently only `memberof` is
|
|
||||||
avaliable.
|
|
||||||
|
|
||||||
After the first start of the image (and the initial configuration), these
|
```
|
||||||
envirnonment variables are not evaluated anymore. If one needs to reconfigure
|
# Define password policy
|
||||||
the `slapd` service, it is possible to set
|
dn: ou=policies,dc=mycompany,dc=com
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: policies
|
||||||
|
|
||||||
SLAPD_FORCE_RECONFIGURE (defaults to false)
|
dn: cn=default,ou=policies,dc=mycompany,dc=com
|
||||||
|
objectClass: applicationProcess
|
||||||
|
objectClass: pwdPolicy
|
||||||
|
cn: default
|
||||||
|
pwdAllowUserChange: TRUE
|
||||||
|
pwdAttribute: userPassword
|
||||||
|
pwdCheckQuality: 1
|
||||||
|
# 7 days
|
||||||
|
pwdExpireWarning: 604800
|
||||||
|
pwdFailureCountInterval: 0
|
||||||
|
pwdGraceAuthNLimit: 0
|
||||||
|
pwdInHistory: 5
|
||||||
|
pwdLockout: TRUE
|
||||||
|
# 30 minutes
|
||||||
|
pwdLockoutDuration: 1800
|
||||||
|
# 180 days
|
||||||
|
pwdMaxAge: 15552000
|
||||||
|
pwdMaxFailure: 5
|
||||||
|
pwdMinAge: 0
|
||||||
|
pwdMinLength: 6
|
||||||
|
pwdMustChange: TRUE
|
||||||
|
pwdSafeModify: FALSE
|
||||||
|
```
|
||||||
|
|
||||||
to `true`.
|
See the [docs](http://www.zytrax.com/books/ldap/ch6/ppolicy.html) for descriptions
|
||||||
|
on the available attributes and what they mean.
|
||||||
|
|
||||||
Data persistence
|
## Data persistence
|
||||||
----------------
|
|
||||||
|
|
||||||
The image exposes two directories (`VOLUME ["/etc/ldap", "/var/lib/ldap"]`).
|
The image exposes two directories (`VOLUME ["/etc/ldap", "/var/lib/ldap"]`).
|
||||||
The first holds the "static" configuration while the second holds the actual
|
The first holds the "static" configuration while the second holds the actual
|
||||||
|
|
|
@ -25,8 +25,8 @@ if [[ ! -d /etc/ldap/slapd.d || "$SLAPD_FORCE_RECONFIGURE" == "true" ]]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
SLAPD_PPOLICY_DN_PREFIX="${SLAPD_PPOLICY_DN_PREFIX:-cn=default,ou=policies}"
|
||||||
SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}"
|
SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}"
|
||||||
|
|
||||||
cp -a /etc/ldap.dist/* /etc/ldap
|
cp -a /etc/ldap.dist/* /etc/ldap
|
||||||
|
|
||||||
cat <<-EOF | debconf-set-selections
|
cat <<-EOF | debconf-set-selections
|
||||||
|
@ -78,7 +78,13 @@ EOF
|
||||||
IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES)
|
IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES)
|
||||||
|
|
||||||
for module in "${modules[@]}"; do
|
for module in "${modules[@]}"; do
|
||||||
slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
|
moduleFile="/etc/ldap/modules/${module}.ldif"
|
||||||
|
|
||||||
|
if [ "$module" == 'ppolicy' ]; then
|
||||||
|
sed -i'' "s|\(olcPPolicyDefault: \)PPOLICY_DN|\1${SLAPD_PPOLICY_DN_PREFIX}$dc_string|" $moduleFile
|
||||||
|
fi
|
||||||
|
|
||||||
|
slapadd -n0 -F /etc/ldap/slapd.d -l "$moduleFile" >/dev/null 2>&1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
13
modules/ppolicy.ldif
Normal file
13
modules/ppolicy.ldif
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
dn: cn=module,cn=config
|
||||||
|
objectClass: olcModuleList
|
||||||
|
cn: module
|
||||||
|
olcModuleLoad: ppolicy.la
|
||||||
|
|
||||||
|
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
|
||||||
|
objectClass: olcOverlayConfig
|
||||||
|
objectClass: olcPPolicyConfig
|
||||||
|
olcOverlay: ppolicy
|
||||||
|
olcPPolicyDefault: PPOLICY_DN
|
||||||
|
olcPPolicyHashCleartext: FALSE
|
||||||
|
olcPPolicyForwardUpdates: FALSE
|
||||||
|
olcPPolicyUseLockout: FALSE
|
Loading…
Reference in a new issue