Ana Guerrero
0296ad69e5
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/1195667 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/opensuse-openldap-image?expand=0&rev=9
OpenLDAP container
Guide
Create new ldap server
This is the default behavior when you run this image. It will create an empty ldap for the company Example Inc. and the domain example.org.
Two passwords are required to startup the container:
LDAP_ADMIN_PASSWORDLdap admin password forcn=admin,dc=example,dc=orgLDAP_CONFIG_PASSWORDLdap admin password forcn=admin,dc=example,dc=org
The command to run this container is:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
To test the container a LDAP search could be issued:
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
In all examples, podman can be replaced directly with docker.
Data persistence
The directories /var/lib/ldap (LDAP database files) and
/etc/openldap/slapd.d (LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the LDAP_UID and LDAP_GID environment variables needs to be set
explicitly:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
Server configuration
Since slapd.conf is not used the ldap utils ldapmodify, ldapadd and
ldapdelete are required to adjust the server configuration.
Seed ldap database with ldif
This image can load ldif and schema files at startup from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable LDAP_SEED_LDIF_PATH and/or
LDAP_SEED_SCHEMA_PATH. If set this will copy any *.ldif or *.schema file
into the default seeding directories of this image.
TLS
Auto-generated certificate
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
podman run --hostname ldap.example.org ...
Own certificate
You can set your custom certificate at run time, by mounting a volume with the certificates into the container and adjusting the following environment variables:
podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
The variables LDAP_TLS_CA_CRT, LDAP_TLS_CRT and LDAP_TLS_KEY are stored
during the first start of the container in the LDAP configuration. Changes to
the variables on further starts will have no affect.
An example with certificates from Let's Encrypt:
podman run -v /etc/letsencrypt:/etc/letsencrypt \
-e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
-e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
-e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
-d registry.opensuse.org/opensuse/openldap:latest
Disable TLS
Add --env LDAP_TLS=0 to the run command: podman run -e LDAP_TLS=0 ...
Supported environment variables:
Generic variables:
DEBUG=[0|1]Enables "set -x" in the entrypoint scriptTZTimezone to use in the container
Variables for new database:
LDAP_DOMAINLdap domain. Defaults toexample.orgLDAP_BASE_DNLdap base DN. If empty automatically set fromLDAP_DOMAINvalue. Defaults to (empty)LDAP_ORGANIZATIONOrganization name. Defaults toExample Inc.LDAP_ADMIN_PASSWORDLdap admin password. It's required to supply one if no database exists at startup.LDAP_CONFIG_PASSWORDLdap config password. It's required to supply one if no database exists at startup.LDAP_BACKENDDatabase backend, defaults tomdbLDAP_SEED_LDIF_PATHPath with additional ldif files which will be loadedLDAP_SEED_SCHEMA_PATHPath with additional schema which will be loaded
Variables for TLS:
LDAP_TLS=[1|0]Enable TLS. Defaults to1(true).LDAP_TLS_CA_CRTLDAP ssl CA certificate. Defaults to/etc/openldap/certs/openldap-ca.crt.LDAP_TLS_CA_KEYPrivate LDAP CA key. Defaults to/etc/openldap/certs/openldap-ca.key.LDAP_TLS_CRTLDAP ssl certificate. Defaults to/etc/openldap/certs/tls.crt.LDAP_TLS_KEYPrivate LDAP ssl key. Defaults to/etc/openldap/certs/tls.key.LDAP_TLS_DH_PARAMLDAP ssl certificate dh param file.LDAP_TLS_ENFORCE=[0|1]Enforce TLS but except ldapi connections. Defaults to0(false).LDAP_TLS_CIPHER_SUITETLS cipher suite.LDAP_TLS_VERIFY_CLIENTTLS verify client. Defaults todemand.
Various configuration variables:
LDAP_NOFILENumber of open files (ulimt -n), default1024LDAP_PORTPort for ldap:///, defaults to389LDAPS_PORTPort for ldaps:///, defaults to636LDAPI_URLLdapi url, defaults toldapi:///run/slapd/ldapiLDAP_UIDUID of ldap user. All LDAP related files will be changed to this UIDLDAP_GIDGID of ldap group. All LDAP related files will be changed to this GIDLDAP_BACKENDDatabase backend, defaults tomdbSLAPD_LOG_LEVELSlapd debug devel, defaults to0SETUP_FOR_MAILSERVERThe mail organization will be created (ldif/mailserver/), defaults to0
Data persistence volumes
/etc/openldap/certsTLS certificates for slapd/etc/openldap/slapd.dSlapd configuration files/var/lib/ldapOpenLDAP database