README.md

hub.docker.com/r/tiredofit/openldap

Introduction

This as a Dockerfile to build a OpenLDAP server for maintaining a directory. Upon starting this image it will give you a ready to run server with many configurable options.

• Tracks latest release

• Compiles from source

• Multiple backends (bdb, hdb, mdb, sql)

• All overlays compiled

• Supports TLS encryption

• Supports Replication

• Optional Web Server included to take advantage of Let's Encrypt certificates

• Scheduled Backups of Data

• Ability to choose NIS or rfc2307bis Schema

• Two Password Checking Modules - check_password.so and ppm.so

• Zabbix Monitoring templates included

• This Container uses a customized Alpine Linux base which includes s6 overlay enabled for PID 1 Init capabilities, zabbix-agent for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..

Changelog

Authors

• Dave Conroy

Table of Contents

• Introduction
  • Changelog
• Prerequisites
• Dependencies
• Installation
• Quick Start
• Configuration
  • Data Volumes
  • Database
  • Environment Variables
  • Networking
• Maintenance
  • Shell Access
• References

Prerequisites

This image has the capability to take advantage of getting TLS certificates autogenerated via the jwilder/nginx-proxy and the Let's Encrypt Proxy Companion @ https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. However, it will run just fine on it's own without it.

Dependencies

None.

Installation

Automated builds of the image are available on Registry and is the recommended method of installation.

docker pull tiredofit/openldap

Quick Start

• The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.

• Set various environment variables to understand the capabilities of this image.

• Map persistent storage for access to configuration and data files for backup.

• Map Network Ports to allow external access.

Start openldap using:

docker-compose up

NOTE: Please allow up to 2 minutes for the application to start for the first time if you are generating TLS certificates.

Data-Volumes

The following directories are used for configuration and can be mapped for persistent storage.

Directory	Description
/var/lib/openldap	Data Directory
/etc/openldap/slapd.d	Configuration Directory
/assets/custom-scripts/	If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base)
/assets/slapd/certs/	Drop TLS Certificates here (or use your own path)
/data/backup	Backup Directory
/www/html	If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here

Environment Variables

Along with the Environment Variables from the Base image, below is the complete list of available options that can be used to customize your installation.

Required and used for new ldap server only:

Variable	Description
DOMAIN	LDAP domain. Default example.org
BASE_DN	LDAP base DN. If empty automatically set from DOMAIN value. Default (empty)
ADMIN_PASS	Ldap Admin password. Default admin
CONFIG_PASS	Ldap Config password. Default config
ORGANIZATION	Organization Name Default: Example Organization
ENABLE_READONLY_USER	Add a read only user. Defaultfalse
READONLY_USER_USER	Read only user username. Default readonly
READONLY_USER_PASS	Read only user password. Default readonly
SCHEMA_TYPE	Use nis or rfc2307bis core schema. Default nis

Variable	Description
BACKEND	Ldap backend. bdb hdb mdb and others. Default mdb
LOG_LEVEL	Set LDAP Log Level - Default 256
ULIMIT_N	Set Open File Descriptor Limit - Default 1024

Backup Options:

Variable	Description
BACKUP_CONFIG_CRON_PERIOD	Cron expression to schedule OpenLDAP config backup. Defaults 0 4 * * * Every day at 4am.
BACKUP_DATA_CRON_PERIOD	Cron expression to schedule OpenLDAP data backup. Defaults 0 4 * * * Every day at 4am.
BACKUP_TTL	Automatically cleanup backup after how many days. Default 15

Password Policy Options:

If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied

Variable	Description
PPOLICY_CHECK_RDN	Check RDN Parameter (ppm.so) - Default 0
PPOLICY_FORBIDDEN_CHARACTERS	Forbidden Characters (ppm.so) - Default ``
PPOLICY_MAX_CONSEC	Maximum Consective Character Pattern - Default 0
PPOLICY_MIN_DIGIT	Minimum Digit Characters - Default 0
PPOLICY_MIN_LOWER	Minimum Lowercase Characters - Default 0
PPOLICY_MIN_POINTS	Minimum Points required to pass checker - Default 3
PPOLICY_MIN_PUNCT	Minimum Punctuation Characters - Default 0
PPOLICY_MIN_UPPER	Minimum Uppercase Characters - Default 0
PPOLICY_USE_CRACKLIB	Use Cracklib for verifying words (ppm.so) - Default 1

TLS options:

Variable	Description
ENABLE_TLS	Add TLS capabilities. Can't be removed once set to true. Defaults true

| TLS_CA_CRT_FILENAME | TLS CA certificate filename. Default ca.pem | | TLS_CA_CRT_PATH | TLS CA certificate path. Default /assets/slapd/certs | | TLS_CIPHER_SUITE | TLS cipher suite. Default ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA | | TLS_CRT_FILENAME | TLS certificate filename. Default cert.pem | | TLS_CRT_PATH | TLS certificate path. Default /assets/slapd/certs | | TLS_DH_PARAM_FILENAME | TLS DHParam Filename. Default dhparam.pem | | TLS_DH_PARAM_KEYSIZE | TLS DHParam Keysize. Default 2048 | | TLS_DH_PARAM_PATH | TLS DHParam path. Default /assets/slapd/certs | | TLS_ENFORCE | Enforce TLS. Can't be disabled once set to true. Defaults false | | TLS_KEY_FILENAME | TLS certificate private key filename. Default key.pem | | TLS_KEY_PATH | TLS certificate private key path. Default /assets/slapd/certs | | TLS_RESET_PERMISSIONS | Change ownership and reset permissions on Certificates on startup. Default TRUE | | TLS_VERIFY_CLIENT | TLS verify client. Default try

Help: http://www.openldap.org/doc/admin24/tls.html

Replication options:

Variable	Description
ENABLE_REPLICATION	Add replication capabilities. Multimaster only at present. Default false
REPLICATION_CONFIG_SYNCPROV	olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on REPLICATION_HOSTS. Default binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
REPLICATION_DB_SYNCPROV	olcSyncRepl options used for the database. Without rid and provider which are automatically added based on REPLICATION_HOSTS. Default binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
REPLICATION_HOSTS	list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com

Other environment variables:

Variable	Description
ENABLE_NGINX	If you want to use automatic LetsEncrypt certificates for your server, set this to true
REMOVE_CONFIG_AFTER_SETUP	Delete config folder after setup. Default true
SSL_HELPER_PREFIX	Ssl-helper environment variables prefix. Default ldap, ssl-helper first search config from SSL_HELPER_* variables, before SSL_HELPER_* variables.

Networking

The following ports are exposed and available to public interfaces

Port	Description
80	Nginx - For Automatic LetsEncrypt Certficates
389	Unecrypted LDAP
636	TLS Encrypted LDAP

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

docker exec -it openldap bash

References

• https://openldap.org