hub.docker.com/r/tiredofit/openldap

Introduction

This as a Dockerfile to build a OpenLDAP server for maintaining a directory. Upon starting this image it will give you a ready to run server with many configurable options.

Tracks latest release
Compiles from source
Multiple backends (bdb, hdb, mdb, sql)
All overlays compiled
Supports TLS encryption
Supports Replication
Optional Web Server included to take advantage of Let's Encrypt certificates
Scheduled Backups of Data
Ability to choose NIS or rfc2307bis Schema
Two Password Checking Modules - check_password.so and ppm.so
Zabbix Monitoring templates included
This Container uses a customized Alpine Linux base which includes s6 overlay enabled for PID 1 Init capabilities, zabbix-agent for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..

Changelog

Authors

Dave Conroy

Introduction
- Changelog
Prerequisites
Dependencies
Installation
Quick Start
Configuration
Maintenance
- Shell Access
References

Prerequisites

This image has the capability to take advantage of getting TLS certificates autogenerated via the jwilder/nginx-proxy and the Let's Encrypt Proxy Companion @ https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. However, it will run just fine on it's own without it.

Dependencies

None.

Installation

Automated builds of the image are available on Docker Hub and is the recommended method of installation.

docker pull tiredofit/openldap

Quick Start

The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.
Set various environment variables to understand the capabilities of this image.
Map persistent storage for access to configuration and data files for backup.
Map Network Ports to allow external access.

Start openldap using:

docker-compose up

NOTE: Please allow up to 2 minutes for the application to start for the first time if you are generating self signed TLS certificates.

Data-Volumes

The following directories are used for configuration and can be mapped for persistent storage.

Directory	Description
`/var/lib/openldap`	Data Directory
`/etc/openldap/slapd.d`	Configuration Directory
`/assets/custom-scripts/`	If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base)
`/assets/slapd/certs/`	Drop TLS Certificates here (or use your own path)
`/data/backup`	Backup Directory
`/www/html`	If you want to put a landing page if using Nginx for LetsEncrypt SSL Place it here

Environment Variables

Along with the Environment Variables from the Base image, below is the complete list of available options that can be used to customize your installation.

Required and used for new ldap server only:

Variable	Description
`DOMAIN`	LDAP domain. Default `example.org`
`BASE_DN`	LDAP base DN. If empty automatically set from `DOMAIN` value. Default (empty)
`ADMIN_PASS`	Ldap Admin password. Default `admin`
`CONFIG_PASS`	Ldap Config password. Default `config`
`ORGANIZATION`	Organization Name Default: `Example Organization`
`ENABLE_READONLY_USER`	Add a read only user. Default`false`
`READONLY_USER_USER`	Read only user username. Default `readonly`
`READONLY_USER_PASS`	Read only user password. Default `readonly`
`SCHEMA_TYPE`	Use `nis` or `rfc2307bis` core schema. Default `nis`

Variable	Description
`BACKEND`	Ldap backend. `bdb` `hdb` `mdb` and others. Default `mdb`
`LOG_LEVEL`	Set LDAP Log Level - Default `256`
`ULIMIT_N`	Set Open File Descriptor Limit - Default `1024`

Backup Options:

Variable	Description
`BACKUP_CONFIG_CRON_PERIOD`	Cron expression to schedule OpenLDAP config backup. Defaults `0 4 * * *` Every day at 4am.
`BACKUP_DATA_CRON_PERIOD`	Cron expression to schedule OpenLDAP data backup. Defaults `0 4 * * *` Every day at 4am.
`BACKUP_TTL`	Automatically cleanup backup after how many days. Default `15`

Password Policy Options:

If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied

Variable	Description
`PPOLICY_CHECK_RDN`	Check RDN Parameter (ppm.so) - Default `0`
`PPOLICY_FORBIDDEN_CHARACTERS`	Forbidden Characters (ppm.so) - Default ``
`PPOLICY_MAX_CONSEC`	Maximum Consective Character Pattern - Default `0`
`PPOLICY_MIN_DIGIT`	Minimum Digit Characters - Default `0`
`PPOLICY_MIN_LOWER`	Minimum Lowercase Characters - Default `0`
`PPOLICY_MIN_POINTS`	Minimum Points required to pass checker - Default `3`
`PPOLICY_MIN_PUNCT`	Minimum Punctuation Characters - Default `0`
`PPOLICY_MIN_UPPER`	Minimum Uppercase Characters - Default `0`
`PPOLICY_USE_CRACKLIB`	Use Cracklib for verifying words (ppm.so) - Default `1`

TLS options:

Variable	Description
`ENABLE_TLS`	Add TLS capabilities. Can't be removed once set to `true`. Defaults `true`
`TLS_CA_CRT_FILENAME`	TLS CA certificate filename. Default `ca.pem`
`TLS_CA_CRT_PATH`	TLS CA certificate path. Default `/assets/slapd/certs`
`TLS_CIPHER_SUITE`	TLS cipher suite. Default `ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA`
`TLS_CRT_FILENAME`	TLS certificate filename. Default `cert.pem`
`TLS_CRT_PATH`	TLS certificate path. Default `/assets/slapd/certs`
`TLS_DH_PARAM_FILENAME`	TLS DHParam Filename. Default `dhparam.pem`
`TLS_DH_PARAM_KEYSIZE`	TLS DHParam Keysize. Default `2048`
`TLS_DH_PARAM_PATH`	TLS DHParam path. Default `/assets/slapd/certs`
`TLS_ENFORCE`	Enforce TLS. Can't be disabled once set to `true`. Defaults `false`
`TLS_KEY_FILENAME`	TLS certificate private key filename. Default `key.pem`
`TLS_KEY_PATH`	TLS certificate private key path. Default `/assets/slapd/certs`
`TLS_RESET_PERMISSIONS`	Change ownership and reset permissions on Certificates on startup. Default `TRUE`
`TLS_VERIFY_CLIENT`	TLS verify client. Default `try`

Help: http://www.openldap.org/doc/admin24/tls.html

Replication options:

Variable	Description
`ENABLE_REPLICATION`	Add replication capabilities. Multimaster only at present. Default `false`
`REPLICATION_CONFIG_SYNCPROV`	olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. Default `binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical`
`REPLICATION_DB_SYNCPROV`	olcSyncRepl options used for the database. Without rid and provider which are automatically added based on `REPLICATION_HOSTS`. Default `binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical`
`REPLICATION_HOSTS`	list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - `ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com`

Other environment variables:

Variable	Description
`ENABLE_NGINX`	If you want to use automatic LetsEncrypt certificates for your server, set this to `true`
`REMOVE_CONFIG_AFTER_SETUP`	Delete config folder after setup. Default `true`
`SLAPD_ARGS`	If you want to override slapd runtime arguments place here . Default (null)
`SLAPD_HOSTS`	Allow overriding the default listen parameters - Default `ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///`
`SSL_HELPER_PREFIX`	Ssl-helper environment variables prefix. Default `ldap`, ssl-helper first search config from `SSL_HELPER_` variables, before `SSL_HELPER_` variables.

Networking

The following ports are exposed and available to public interfaces

Port	Description
`80`	Nginx - For Automatic LetsEncrypt Certficates
`389`	Unecrypted LDAP
`636`	TLS Encrypted LDAP

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

docker exec -it openldap bash

References

https://openldap.org

moqmar / docker-openldap