This docker image provides LDAP Server initalized for the DICOM Archive dcm4chee-arc-light. It extends the dcm4che slapd image.
$ docker run --name slapd \
-p 389:389 \
-v /var/local/dcm4chee-arc/ldap:/var/lib/openldap/openldap-data \
-v /var/local/dcm4chee-arc/slapd.d:/etc/openldap/slapd.d \
-d dcm4che/slapd-dcm4chee:2.4.58-25.0
Below explained environment variables can be set as per one's application to override the default values if need be.
An example of how one can set an env variable in docker run command is shown below :
-e LDAP_ROOTPASS=mypass
uid of the ldap user running slapd inside the container (optional, default is 1021).
gid of the ldap user running slapd inside the container (optional, default is 1021).
Debug-level specified as bit string, with each bit corresponding to a different kind of debugging information:
| Component | bit string |
|---|---|
| Any | (-1, 0xffffffff) |
| Trace | (1, 0x1) |
| Packets | (2, 0x2) |
| Args | (4, 0x4) |
| Conns | (8, 0x8) |
| BER | (16, 0x10) |
| Filter | (32, 0x20) |
| Config | (64, 0x40) |
| ACL | (128, 0x80) |
| Stats | (256, 0x100) |
| Stats2 | (512, 0x200) |
| Shell | (1024, 0x400) |
| Parse | (2048, 0x800) |
| Sync | (16384, 0x4000) |
| None | (32768, 0x8000) |
Set to 32768 by default.
Space separated list of schema definition LDIF files applied at first LDAP startup.
Relative file paths are resolved against /etc/openldap/schema/.
dicom.ldif dcm4che.ldif dcm4chee-archive.ldif dcm4chee-archive-ui.ldif by default.
Space separated list of schema definition update LDIF files applied by script update-schema.
Relative file paths are resolved against /etc/openldap/schema/.
dicom-modify.ldif dcm4che-modify.ldif dcm4chee-archive-modify.ldif dcm4chee-archive-ui-modify.ldif by default.
Base domain name for LDAP (optional, default is dc=dcm4che,dc=org).
Organisation name in LDAP root node (optional, default is dcm4che.org).
Root DN password (bind DN: cn=admin,${LDAP_BASE_DN}) (optional, default is secret).
Root DN password (bind DN: cn=admin,${LDAP_BASE_DN}) via file input (alternative to LDAP_ROOTPASS).
Config DIT password (bind DN cn=admin,cn=config) (optional, default is secret).
Config DIT password (bind DN cn=admin,cn=config) via file input (alternative to LDAP_CONFIGPASS).
Space separated list of LDAP URLs to serve.
Set to "ldap:///" by default (LDAP over TCP on all interfaces on default LDAP port).
The default ldap:// port is 389 and the default ldaps:// port is 636.
Required if configuring N-Way Multi-Master replication
by LDAP_REPLICATION_HOSTS.
This environment variable specifies the PEM-format file containing certificates for the CA's that slapd will trust.
The certificate for the CA that signed the server certificate must be included among these certificates. If the
signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the
top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.
Default value is /etc/certs/cacert.pem.
This environment variable specifies the file that contains the slapd server certificate. The DN of a server certificate
shall use the CN attribute to name the server, and the CN shall carry the server's fully qualified domain name.
Additional alias names and wildcards may be present in the subjectAltName certificate extension. Default value is
/etc/certs/cert.pem.
This environment variable specifies the file that contains the private key that matches the certificate stored in the
LDAP_TLS_CERT file. Default value is /etc/certs/key.pem.
This environment variable specifies what checks to perform on client certificates in an incoming TLS session, if any.
This option is set to never by default, in which case the server never asks the client for a certificate. With a
setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally.
If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds
normally, as if no certificate had been provided. With a setting of try the certificate is requested, and if none is
provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is
immediately terminated. With a setting of demand the certificate is requested and a valid certificate must be
provided, otherwise the session is immediately terminated.
This environment variable specifies what checks to perform on server certificates. Only effective with LDAP
replication over TLS (e.g. LDAP_REPLICATION_HOSTS=ldaps://ldap1/ ldaps://ldap2/). This option is set to never
by default, to disable the verification that the CN of the received server certificate match its host name - otherwise
replication over TLS with the provided default server certificate will not work.
This environment variable specifies a space separated list of LDAP URLs to activate N-Way Multi-Master replication. The list must contain the own container host name. Other host names of other servers must be resolvable by the container. The order of LDAP URLs must be the same for each server.
After startup you have to invoke
docker exec <ldap-container-name> prepare-replication
on each container, before actual activating the replication by
docker exec <ldap-container-name> enable-replication
on each container.
This environment variable specifies parameters used for
N-Way Multi-Master replication
activated by LDAP_REPLICATION_HOSTS. Default value is
binddn="cn=admin,$LDAP_BASE_DN" \
bindmethod=simple \
credentials=$LDAP_ROOTPASS \
searchbase="$LDAP_BASE_DN" \
type=refreshOnly \
interval=00:00:00:10 \
retry="5 5 300 +" \
timeout=1
Created user with password user with assigned Realm Role specified by AUTH_USER_ROLE,
to access the UI and RESTful services of the Archive (optional, default is user).
Created user role required to access the UI and RESTful services of the Archive (optional, default is user).
Created user with password admin with assigned Realm Roles specified by AUTH_USER_ROLE and
SUPER_USER_ROLE, to access the UI without verification of user permissions (optional, default is admin).
User role to identify super users, which have unrestricted access to all UI functions of the Archive, bypassing the
verification of user permissions (optional, default is admin).
Name of the archive device. Default value is dcm4chee-arc.
Name of the Web Application associated with the archive device. Default value is dcm4chee-arc.
Title of the primary Application Entity configured to hide instances rejected for Quality Reasons.
Default value is DCM4CHEE.
Title of the Application Entity configured to show instances rejected for Quality Reasons.
Default value is IOCM_REGULAR_USE.
Title of the Application Entity configured to only show instances rejected for Quality Reasons.
Default value is IOCM_QUALITY.
Title of the Application Entity configured to only show instances rejected for Patient Safety Reasons.
Default value is IOCM_PAT_SAFETY.
Title of the Application Entity configured to only show instances rejected for Incorrect Modality Worklist Entry.
Default value is IOCM_WRONG_MWL.
Title of the Application Entity configured to only show instances rejected for Data Retention Expired.
Default value is IOCM_EXPIRED.
Title of the Application Entity configured to retrieve instances as received.
Default value is AS_RECEIVED.
Hostname of the archive device. You have to specify the hostname of the docker host on which the Archive
container is deployed, if the LDAP configuration is used by other applications to determine the hostname and DICOM and/or
HL7 port to initiate TCP connections to the Archive. Default value is 127.0.0.1.
Port number on which the Archive is listening for DICOM connections. Default value is 11112.
Port number on which the Archive is listening for DICOM TLS connections. Default value is 2762.
Port number on which the HL7 receiver of the Archive is listening. Default value is 2575.
Port number on which the HL7 TLS receiver of the Archive is listening. Default value is 12575.
Path to the directory - inside of the Archive container - where the Archive stores received DICOM objects.
Default value is /opt/wildfly/standalone/data/fs1.
Device name of the audit record repository. The archive device emits audit messages to this device if
audit logging is enabled. Default value is logstash.
Hostname of the audit record repository. You have to specify either the hostname of the docker host on which
the Logstash container is deployed or - if the Archive container and the Logstash container are attached to the same
network - the container name of the Logstash container. With default value 127.0.0.1, audit logging is effectively
disabled.
Port number on which the audit record repository is listening. Default value is 514.
Protocol used to emit audit messages to the audit record repository. Enumerated values: UDP or TCP.
Default value is UDP.
Pre-configured syslog-tls port of the audit record repository. Default value is 6514.
Device name of the Keycloak Authentication Server. It specifies the emission of audit messages for
authentication events. Default value is keycloak.
Device name of the Keycloak Authentication Server. It specifies the emission of audit messages for
authentication events. Default value is 127.0.0.1.
Name of the device referenced in default scheduled station configured in the archive device which is used as
a fallback option for populating the Scheduled Station AE title in the Modality Worklist attributes when HL7 order messages
are received by the archive. Default value is scheduledstation.
Application Entity title of the device referenced in default scheduled station configured in the archive device which is used as
a fallback option for populating the Scheduled Station AE title in the Modality Worklist attributes when HL7 order messages
are received by the archive. Default value is SCHEDULEDSTATION.
URL to launch external Image Display for a Patient. {{patientID}} will be replaced by the Patient ID formatted as
HL7 CX data type. & has to be escaped by \&.
E.g.: http(s)://<viewer-host>:<viewer-port>/IHEInvokeImageDisplay?requestType=PATIENT\&patientID={{patientID}}.
URL to launch external Image Display for a Study. {{studyUID}} will be replaced by the Study Instance UID.
& has to be escaped by \&.
E.g.: http(s)://<viewer-host>:<viewer-port>/IHEInvokeImageDisplay?requestType=STUDY\&studyUID={{studyUID}}.
Window/target name applied to Invoke Image Display URL to launch external Image Display for a Patient or Study.
Use _self to suppress opening a new window.
Skip the default initial configuration (required by archive device) at first LDAP startup. Default value is false.
Space separated list of LDIF files to be imported at first LDAP startup initializing configuration.
Relative file paths are resolved against /etc/openldap/data/.
default-config.ldif add-vendor-data.ldif default-ui-config.ldif by default.
Not effective if SKIP_INIT_CONFIG=true.
Space separated list of LDIF files to be imported at first LDAP startup initializing Keycloak User Federation.
Relative file paths are resolved against /etc/openldap/data/.
default-users.ldif by default.
Not effective if SKIP_INIT_CONFIG=true.
Space separated LDIF files to be imported verbatim at first LDAP startup. May be used together with
SKIP_INIT_CONFIG=true to initialize LDAP from customized or backed-up LDIF file(s) instead of using
the default initial configuration.
Space separated paths to directories or ZIP files merged with default vendor data, effective on first LDAP startup,
invoke of update-data <version> or replace-vendor-data.