Skip to content
This repository has been archived by the owner on Sep 27, 2020. It is now read-only.
/ docker-openldap Public archive
forked from tiredofit/docker-openldap

Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbix Monitoring based on Alpine

License

MIT license
0 stars 48 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

frznvm0/docker-openldap

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

94 Commits
.github
.github
 
 
examples
examples
 
 
install
install
 
 
zabbix_templates
zabbix_templates
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

hub.docker.com/r/tiredofit/openldap

Build Status Docker Pulls Docker Stars Docker Layers

Introduction

This as a Dockerfile to build a OpenLDAP server for maintaining a directory. Upon starting this image it will give you a ready to run server with many configurable options.

  • Tracks latest release

  • Compiles from source

  • Multiple backends (bdb, hdb, mdb, sql)

  • All overlays compiled

  • Supports TLS encryption

  • Supports Replication

  • Scheduled Backups of Data

  • Ability to choose NIS or rfc2307bis Schema

  • Additional Password Modules (Argon, SHA2, PBKDF2)

  • Two Password Checking Modules - check_password.so and ppm.so

  • Zabbix Monitoring templates included

  • This Container uses a customized Alpine Linux base which includes s6 overlay enabled for PID 1 Init capabilities, zabbix-agent for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, mariadb-client, nano, vim) for easier management. It also supports sending to external SMTP servers..

Changelog

Authors

Table of Contents

Prerequisites

This image has the capability to take advantage of getting TLS certificates autogenerated via the jwilder/nginx-proxy and the Let's Encrypt Proxy Companion @ https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion. However, it will run just fine on it's own without it.

Dependencies

None.

Installation

Automated builds of the image are available on Docker Hub and is the recommended method of installation.

docker pull tiredofit/openldap

Quick Start

Start openldap using:

docker-compose up

NOTE: Please allow up to 2 minutes for the application to start for the first time if you are generating self signed TLS certificates.

Configuration

Data-Volumes

The following directories are used for configuration and can be mapped for persistent storage.

Directory Description
/var/lib/openldap Data Directory
/etc/openldap/slapd.d Configuration Directory
/assets/custom-scripts/ If you'd like to execute a script during the initialization process drop it here (Useful for using this image as a base)
/certs/ Drop TLS Certificates here (or use your own path)
/data/backup Backup Directory

Environment Varables

Along with the Environment Variables from the Base image, below is the complete list of available options that can be used to customize your installation.

Required for new setup

Variable Description Default
DOMAIN LDAP domain. example.org
BASE_DN LDAP base DN. If empty automatically set from DOMAIN value. (empty)
ADMIN_PASS Ldap Admin password. admin
CONFIG_PASS Ldap Config password. config
ORGANIZATION Organization Name Example Organization
ENABLE_READONLY_USER Add a read only/Simple Security Object/DSA false
READONLY_USER_USER Read only user username. readonly
READONLY_USER_PASS Read only user password. readonly
SCHEMA_TYPE Use nis or rfc2307bis core schema. nis

Logging Options

Variable Description Default
LOG_FILE Filename for logging openldap.log
LOG_LEVEL Set LDAP Log Level 256
LOG_PATH Path for Logs /logs/
LOG_TYPE Output to CONSOLE or FILE CONSOLE

Backup Options:

Parameter Description
ENABLE_BACKUP Enable Backup System
BACKUP_LOCATION Backup to FILESYSTEM or S3 compatible services like S3, Minio, Wasabi
BACKUP_COMPRESSION Use either Gzip GZ, Bzip2 BZ, XZip XZ, ZSTD ZSTD or none NONE
BACKUP_COMPRESSION_LEVEL Numberical value of what level of compression to use, most allow 1 to 9 except for ZSTD which allows for 1 to 19
BACKUP_INTERVAL How often to do a dump, in minutes. Defaults to 1440 minutes, or once per day.
BACKUP_BEGIN What time to do the first dump. Defaults to immediate. Must be in one of two formats
Absolute HHMM, e.g. 2330 or 0415
Relative +MM, i.e. how many minutes after starting the container, e.g. +0 (immediate), +10 (in 10 minutes), or +90 in an hour and a half
BACKUP_RETENTION Value in minutes to delete old backups (only fired when dump freqency fires). 1440 would delete anything above 1 day old. You don't need to set this variable if you want to hold onto everything.
BACKUP_MD5 Generate MD5 Sum in Directory, TRUE or FALSE
BACKUP_PARALLEL_COMPRESSION Use multiple cores when compressing backups TRUE or FALSE
BACKUP_PATH Filesystem path on where to place backups
Backing Up to S3 Compatible Services

If BACKUP_LOCATION = S3 then the following options are used.

Parameter Description
BACKUP_S3_BUCKET S3 Bucket name e.g. 'mybucket'
BACKUP_S3_HOSTNAME Hostname of S3 Server e.g "s3.amazonaws.com" - You can also include a port if necessary
BACKUP_S3_KEY_ID S3 Key ID
BACKUP_S3_KEY_SECRET S3 Key Secret
BACKUP_S3_PATH S3 Pathname to save to e.g. 'backup'
BACKUP_S3_PROTOCOL Use either http or https to access service
BACKUP_S3_URI_STYLE Choose either VIRTUALHOST or PATH style

Password Policy Options

If you already have a check_password.conf or ppm.conf in /etc/openldap/ the following environment variables will not be applied

Variable Description Default
ENABLE_PPOLICY Enable PPolicy Module utilization TRUE
PPOLICY_CHECK_RDN Check RDN Parameter (ppm.so) 0
PPOLICY_FORBIDDEN_CHARACTERS Forbidden Characters (ppm.so) ``
PPOLICY_MAX_CONSEC Maximum Consective Character Pattern 0
PPOLICY_MIN_DIGIT Minimum Digit Characters 0
PPOLICY_MIN_LOWER Minimum Lowercase Characters 0
PPOLICY_MIN_POINTS Minimum Points required to pass checker 3
PPOLICY_MIN_PUNCT Minimum Punctuation Characters 0
PPOLICY_MIN_UPPER Minimum Uppercase Characters 0
PPOLICY_USE_CRACKLIB Use Cracklib for verifying words (ppm.so) 1

TLS options

Variable Description Default
ENABLE_TLS Add TLS capabilities. Can't be removed once set to TRUE. true
TLS_CA_NAME Selfsigned CA Name ldap-selfsigned-ca
TLS_CA_SUBJECT Selfsigned CA Subject /C=XX/ST=LDAP/L=LDAP/O=LDAP/CN=
TLS_CA_CRT_SUBJECT SelfSigned CA Cert Sujbject ${TLS_CA_SUBJECT}${TLS_CA_NAME}
TLS_CA_CRT_FILENAME CA Cert filename ${TLS_CA_AME}.crt
TLS_CA_KEY_FILENAME CA Key filename ${TLS_CA_NAME}.key
TLS_CA_CRT_PATH CA Certificates path /certs/${TLS_CA_NAME}/
TLS_CIPHER_SUITE Cipher Suite to use ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:-DHE-DSS:-RSA:!aNULL:!MD5:!DSS:!SHA
TLS_CREATE_CA Automatically create CA when generating certificates TRUE
TLS_CRT_FILENAME TLS cert filename cert.pem
TLS_CRT_PATH TLS cert path /certs/
TLS_DH_PARAM_FILENAME DH Param filename dhparam.pem
TLS_DH_PARAM_KEYSIZE Keysize for DH Param 2048
TLS_DH_PARAM_PATH DH Param path /certs/
TLS_ENFORCE Enforce TLS Usage FALSE
TLS_KEY_FILENAME TLS Key filename key.pem
TLS_KEY_PATH TLS Key path /certs/
TLS_RESET_PERMISSIONS Change permissions on certificate directories for OpenLDAP to read TRUE
TLS_VERIFY_CLIENT TLS verify client. try 
Help: http://www.openldap.org/doc/admin24/tls.html

Replication options

Variable Description Default
ENABLE_REPLICATION Add replication capabilities. Multimaster only at present. false
REPLICATION_CONFIG_SYNCPROV olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on REPLICATION_HOSTS. binddn="cn=admin,cn=config" bindmethod=simple credentials=$CONFIG_PASS searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
REPLICATION_DB_SYNCPROV olcSyncRepl options used for the database. Without rid and provider which are automatically added based on REPLICATION_HOSTS. binddn="cn=admin,$BASE_DN" bindmethod=simple credentials=$ADMIN_PASS searchbase="$BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
REPLICATION_HOSTS list of replication hosts seperated by a space, must contain the current container hostname set by --hostname on docker run command. If replicating all hosts must be set in the same order. Example - ldap://ldap1.example.com ldap://ldap2.example.com ldap://ldap3.example.com

Other environment variables

Variable Description Default
CONFIG_PATH Configuration files path /etc/openldap
DB_PATH Data Files path /var/lib/openldap
REMOVE_CONFIG_AFTER_SETUP Delete config folder after setup. true
SLAPD_ARGS If you want to override slapd runtime arguments place here . Default (null)
SLAPD_HOSTS Allow overriding the default listen parameters ldap://$HOSTNAME ldaps://$HOSTNAME ldapi:///
ULIMIT_N Set Open File Descriptor Limit 1024

Networking

The following ports are exposed and available to public interfaces

Port Description
389 LDAP
636 TLS Encrypted LDAP

Maintenance

Shell Access

For debugging and maintenance purposes you may want access the containers shell.

docker exec -it openldap bash

References

About

Docker OpenLDAP Container w/TLS & Replication Support S6 Overlay, and Zabbix Monitoring based on Alpine

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

31 tags

Packages

No packages published

Languages

  • Dockerfile 55.8%
  • Shell 44.2%