d2da60fbba
Typo found and corrected by Vampouille |
||
---|---|---|
modules | ||
Dockerfile | ||
entrypoint.sh | ||
LICENSE | ||
README.md |
docker-openldap
The image is based on Debian stable ("jessie" at the moment). The Dockerfile is inspired by cnry/openldap, but as said before, running a stable Debian and be a little less verbose, but more complete in the configuration.
NOTE: On purpose, there is no secured channel (TLS/SSL), because I believe that
this service should never be exposed to the internet, but only be used directly
by other Docker containers using the --link
option.
Usage
The most simple form would be to start the application like so (however this is not the recommended way - see below):
docker run -d -p 389:389 -e SLAPD_PASSWORD=mysecretpassword -e SLAPD_DOMAIN=ldap.example.org dinkel/openldap
To get the full potential this image offers, one should first create a data-only container (see "Data persistence" below), start the OpenLDAP daemon as follows:
docker run -d --name openldap --volumes-from your-data-container dinkel/openldap
An application talking to OpenLDAP should then --link
the container:
docker run -d --link openldap:openldap image-using-openldap
The name after the colon in the --link
section is the hostname where the
OpenLDAP daemon is listening to (the port is the default port 389
).
Configuration (environment variables)
For the first run, one has to set at least the first two environment variables.
After the first start of the image (and the initial configuration), these
envirnonment variables are not evaluated again (see the
SLAPD_FORCE_RECONFIGURE
option).
-
SLAPD_PASSWORD
(required) - sets the password for theadmin
user. -
SLAPD_DOMAIN
(required) - sets the DC (Domain component) parts. E.g. if one sets it toldap.example.org
, the generated base DC parts would be...,dc=ldap,dc=example,dc=org
. -
SLAPD_ORGANIZATION
(defaults to $SLAPD_DOMAIN) - represents the human readable company name (e.g.Example Inc.
). -
SLAPD_CONFIG_PASSWORD
- allows password protected access to thedn=config
branch. This helps to reconfigure the server without interruption (read the official documentation). -
SLAPD_ADDITIONAL_SCHEMAS
- loads additional schemas provided in theslapd
package that are not installed using the environment variable with comma-separated enties. As of writing these instructions, there are the following additional schemas available:collective
,corba
,duaconf
,dyngroup
,java
,misc
,openldap
,pmi
andppolicy
. -
SLAPD_ADDITIONAL_MODULES
- comma-separated list of modules to load. It will try to run.ldif
files with a corresponsing name from themodule
directory. Currently onlymemberof
andppolicy
are avaliable. -
SLAPD_FORCE_RECONFIGURE
- (defaults to false) Used if one needs to reconfigure theslapd
service after the image has been initialized. Set this value totrue
to reconfigure the image.
Setting up ppolicy
The ppolicy module provides enhanced password management capabilities that are
applied to non-rootdn bind attempts in OpenLDAP. In order to it, one has to load
both the schema ppolicy
and the module ppolicy
:
-e SLAPD_DOMAIN=ldap.example.org -e SLAPD_ADDITIONAL_SCHEMAS=ppolicy -e SLAPD_ADDITIONAL_MODULES=ppolicy`
There is one additional environment variable available:
SLAPD_PPOLICY_DN_PREFIX
- (defaults tocn=default,ou=policies
) sets the dn prefix used inmodules/ppolicy.ldif
for theolcPPolicyDefault
attribute. The value used forolcPPolicyDefault
is derived from$SLAPD_PPOLICY_DN_PREFIX,(dc component parts from $SLAPD_DOMAIN)
.
After loading the module, you have to load a default password policy, like so:
ldapadd -h localhost -x -c -D 'cn=admin,dc=ldap,dc=example,dc=org' -w [$SLAPD_PASSWORD] -f default-policy.ldif
The contents of default-policy.ldif
should look something like this:
# Define password policy
dn: ou=policies,dc=ldap,dc=example,dc=org
objectClass: organizationalUnit
ou: policies
dn: cn=default,ou=policies,dc=ldap,dc=example,dc=org
objectClass: applicationProcess
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
# 7 days
pwdExpireWarning: 604800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 5
pwdLockout: TRUE
# 30 minutes
pwdLockoutDuration: 1800
# 180 days
pwdMaxAge: 15552000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE
See the docs for descriptions on the available attributes and what they mean.
Data persistence
The image exposes two directories (VOLUME ["/etc/ldap", "/var/lib/ldap"]
).
The first holds the "static" configuration while the second holds the actual
database. Please make sure that these two directories are saved (in a data-only
container or alike) in order to make sure that everything is restored after a
restart of the container.