hub.docker.com/r/tiredofit/openldap

Introduction

This as a Dockerfile to build a OpenLDAP server for maintaining a directory. Upon starting this image it will give you a ready to run server with many configurable options.

Tracks latest release
Compiles from source
Multiple backends (bdb, hdb, mdb, sql)
All overlays compiled
Supports TLS encryption
Supports Replication
Scheduled Backups of Data
Ability to choose NIS or rfc2307bis Schema
Additional Password Modules (Argon, SHA2, PBKDF2)
Two Password Checking Modules - check_password.so and ppm.so
Zabbix Monitoring templates included
This Container uses a customized Alpine Linux base which includes s6 overlay enabled for PID 1 Init capabilities, zabbix-agent for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..

Changelog

Authors

Dave Conroy

Prerequisites
Installation
- Quick Start
Configuration
Maintenance
- Shell Access
- References

Prerequisites

This image has the capability to take advantage of getting TLS certificates autogenerated via the jwilder/nginx-proxy and the Let's Encrypt Proxy Companion @ https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. However, it will run just fine on it's own without it.

Dependencies

None.

Installation

Automated builds of the image are available on Docker Hub and is the recommended method of installation.

docker pull tiredofit/openldap

Quick Start

The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.
Set various environment variables to understand the capabilities of this image.
Map persistent storage for access to configuration and data files for backup.
Map Network Ports to allow external access.

Start openldap using:

docker-compose up

NOTE: Please allow up to 2 minutes for the application to start for the first time if you are generating self signed TLS certificates.

Configuration

Data-Volumes

The following directories are used for configuration and can be mapped for persistent storage.

Directory	Description
`/var/lib/openldap`	Data Directory
`/etc/openldap/slapd.d`	Configuration Directory
`/assets/custom-scripts/`	If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base)
`/certs/`	Drop TLS Certificates here (or use your own path)
`/data/backup`	Backup Directory

Environment Varables

Along with the Environment Variables from the Base image, below is the complete list of available options that can be used to customize your installation.

Required for new setup

Variable	Description	Default
`DOMAIN`	LDAP domain.	`example.org`
`BASE_DN`	LDAP base DN. If empty automatically set from `DOMAIN` value.	(empty)
`ADMIN_PASS`	Ldap Admin password.	`admin`
`CONFIG_PASS`	Ldap Config password.	`config`
`ORGANIZATION`	Organization Name	`Example Organization`
`ENABLE_READONLY_USER`	Add a read only/Simple Security Object/DSA	`false`
`READONLY_USER_USER`	Read only user username.	`readonly`
`READONLY_USER_PASS`	Read only user password.	`readonly`
`SCHEMA_TYPE`	Use `nis` or `rfc2307bis` core schema.	`nis`

Logging Options

Variable	Description	Default
`LOG_FILE`	Filename for logging	`openldap.log`
`LOG_LEVEL`	Set LDAP Log Level	`256`
`LOG_PATH`	Path for Logs	`/logs/`
`LOG_TYPE`	Output to `CONSOLE` or `FILE`	`CONSOLE`

Backup Options:

Parameter	Description
`ENABLE_BACKUP`	Enable Backup System
`BACKUP_LOCATION`	Backup to `FILESYSTEM` or `S3` compatible services like S3, Minio, Wasabi
`BACKUP_COMPRESSION`	Use either Gzip `GZ`, Bzip2 `BZ`, XZip `XZ`, ZSTD `ZSTD` or none `NONE`
`BACKUP_COMPRESSION_LEVEL`	Numberical value of what level of compression to use, most allow `1` to `9` except for `ZSTD` which allows for `1` to `19`
`BACKUP_INTERVAL`	How often to do a dump, in minutes. Defaults to 1440 minutes, or once per day.
`BACKUP_BEGIN`	What time to do the first dump. Defaults to immediate. Must be in one of two formats
	Absolute HHMM, e.g. `2330` or `0415`
	Relative +MM, i.e. how many minutes after starting the container, e.g. `+0` (immediate), `+10` (in 10 minutes), or `+90` in an hour and a half
`BACKUP_RETENTION`	Value in minutes to delete old backups (only fired when dump freqency fires). 1440 would delete anything above 1 day old. You don't need to set this variable if you want to hold onto everything.
`BACKUP_MD5`	Generate MD5 Sum in Directory, `TRUE` or `FALSE`
`BACKUP_PARALLEL_COMPRESSION`	Use multiple cores when compressing backups `TRUE` or `FALSE`
`BACKUP_PATH`	Filesystem path on where to place backups

Backing Up to S3 Compatible Services

If BACKUP_LOCATION = S3 then the following options are used.

Parameter	Description
`BACKUP_S3_BUCKET`	S3 Bucket name e.g. 'mybucket'
`BACKUP_S3_HOSTNAME`	Hostname of S3 Server e.g "s3.amazonaws.com" - You can also include a port if necessary
`BACKUP_S3_KEY_ID`	S3 Key ID
`BACKUP_S3_KEY_SECRET`	S3 Key Secret
`BACKUP_S3_PATH`	S3 Pathname to save to e.g. '`backup`'
`BACKUP_S3_PROTOCOL`	Use either `http` or `https` to access service
`BACKUP_S3_URI_STYLE`	Choose either `VIRTUALHOST` or `PATH` style

Password Policy Options

If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied

Variable	Description	Default
`ENABLE_PPOLICY`	Enable PPolicy Module utilization	`TRUE`
`PPOLICY_CHECK_RDN`	Check RDN Parameter (ppm.so)	`0`
`PPOLICY_FORBIDDEN_CHARACTERS`	Forbidden Characters (ppm.so)	``
`PPOLICY_MAX_CONSEC`	Maximum Consective Character Pattern	`0`
`PPOLICY_MIN_DIGIT`	Minimum Digit Characters	`0`
`PPOLICY_MIN_LOWER`	Minimum Lowercase Characters	`0`
`PPOLICY_MIN_POINTS`	Minimum Points required to pass checker	`3`
`PPOLICY_MIN_PUNCT`	Minimum Punctuation Characters	`0`
`PPOLICY_MIN_UPPER`	Minimum Uppercase Characters	`0`
`PPOLICY_USE_CRACKLIB`	Use Cracklib for verifying words (ppm.so)	`1`

TLS options

Variable	Description	Default
`ENABLE_TLS`	Add TLS capabilities. Can't be removed once set to `TRUE`.	`true`
`TLS_CA_NAME`	Selfsigned CA Name	`ldap-selfsigned-ca`
`TLS_CA_SUBJECT`	Selfsigned CA Subject	`/C=XX/ST=LDAP/L=LDAP/O=LDAP/CN=`
`TLS_CA_CRT_SUBJECT`	SelfSigned CA Cert Sujbject	`${TLS_CA_SUBJECT}${TLS_CA_NAME}`
`TLS_CA_CRT_FILENAME`	CA Cert filename	`${TLS_CA_AME}.crt`
`TLS_CA_KEY_FILENAME`	CA Key filename	`${TLS_CA_NAME}.key`
`TLS_CA_CRT_PATH`	CA Certificates path	`/certs/${TLS_CA_NAME}/`
`TLS_CIPHER_SUITE`	Cipher Suite to use	`ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA`
`TLS_CREATE_CA`	Automatically create CA when generating certificates	`TRUE`
`TLS_CRT_FILENAME`	TLS cert filename	`cert.pem`
`TLS_CRT_PATH`	TLS cert path	`/certs/`
`TLS_DH_PARAM_FILENAME`	DH Param filename	`dhparam.pem`
`TLS_DH_PARAM_KEYSIZE`	Keysize for DH Param	`2048`
`TLS_DH_PARAM_PATH`	DH Param path	`/certs/`
`TLS_ENFORCE`	Enforce TLS Usage	`FALSE`
`TLS_KEY_FILENAME`	TLS Key filename	`key.pem`
`TLS_KEY_PATH`	TLS Key path	`/certs/`
`TLS_RESET_PERMISSIONS`	Change permissions on certificate directories for OpenLDAP to read	`TRUE`
`TLS_VERIFY_CLIENT`	TLS verify client.	`try`

Help: http://www.openldap.org/doc/admin24/tls.html

Replication options

Variable	Description	Default
`ENABLE_REPLICATION`	Add replication capabilities. Multimaster only at present.	`false`
`REPLICATION_CONFIG_SYNCPROV`	olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`.	`binddn="cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 60 +" timeout=1 filter="(!(objectclass=olcGlobal))"`
`REPLICATION_DB_SYNCPROV`	olcSyncRepl options used for the database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`.	`binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="5 5 60 +" timeout=1`
`REPLICATION_HOSTS`	list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - `ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com`
`WAIT_FOR_REPLICAS`	should we wait for configured replicas to come online (respond to ping) before startup?	`false`

Other environment variables

Variable	Description	Default
`CONFIG_PATH`	Configuration files path	`/etc/openldap`
`DB_PATH`	Data Files path	`/var/lib/openldap`
`REMOVE_CONFIG_AFTER_SETUP`	Delete config folder after setup.	`true`
`SLAPD_ARGS`	If you want to override slapd runtime arguments place here . Default (null)
`SLAPD_HOSTS`	Allow overriding the default listen parameters	`ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///`
`ULIMIT_N`	Set Open File Descriptor Limit	`1024`

Networking

The following ports are exposed and available to public interfaces

Port	Description
`389`	LDAP
`636`	TLS Encrypted LDAP

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

docker exec -it openldap bash

References

https://openldap.org

goldsam / docker-openldap Goto Github PK

docker-openldap's Introduction