rpm/opensuse-openldap-image
SHA256
1
0
Fork 0
forked from pool/opensuse-openldap-image
Code Pull Requests Activity
c3f4e3b9c5
opensuse-openldap-image/README.md
Thorsten Kukuk 64eb4787a0 Accepting request 857864 from home:kukuk:container 
- Install misc.schema by default (ldap mail alias)

- Fix error caused by uninitialized DEBUG variable

OBS-URL: https://build.opensuse.org/request/show/857864
OBS-URL: https://build.opensuse.org/package/show/devel:kubic:containers/opensuse-openldap-image?expand=0&rev=7
2020-12-21 15:30:28 +00:00

159 lines
6.8 KiB
Markdown
Raw Blame History

# OpenLDAP container
- [Guide](#guide)
- [Create new ldap server](#create-new-ldap-server)
- [Data persistence](#data-persistence)
- [Server configuration](#server-configuration)
- [Seed ldap database with ldif](#seed-ldap-database-with-ldif)
- [TLS](#tls)
- [Auto-generated certificate](#auto-generated-certificate)
- [Own certificate](#own-certificate)
- [Disable TLS](#disable-tls)
- [Supported environment variables](#supported-environment-variables)
- [Generic variables](#generic-variables)
- [Variables for new database](#variables-for-new-database)
- [Variables for TLS](#variables-for-tls)
- [Various configuration variables](#various-configuration-variables)
- [Data persistence volumes](#data-persistence-volumes)
## Guide
### Create new ldap server
This is the default behavior when you run this image.
It will create an empty ldap for the company **Example Inc.** and the domain **example.org**.
Two passwords are required to startup the container:
- `LDAP_ADMIN_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
- `LDAP_CONFIG_PASSWORD` Ldap admin password for `cn=admin,dc=example,dc=org`
The command to run this container is:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
To test the container a LDAP search could be issued:
```sh
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
```
In all examples, `podman` can be replaced directly with `docker`.
### Data persistence
The directories `/var/lib/ldap` (LDAP database files) and
`/etc/openldap/slapd.d` (LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the `LDAP_UID` and `LDAP_GID` environment variables needs to be set
explicitly:
```sh
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
```
### Server configuration
Since slapd.conf is not used the ldap utils `ldapmodify`, `ldapadd` and
`ldapdelete` are required to adjust the server configuration.
### Seed ldap database with ldif
This image can load ldif and schema files at startup from an internal
path. This is useful if a continuous integration service mounts automatically
the working copy (sources) into a docker service, which has a relation to the
ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable `LDAP_SEED_LDIF_PATH` and/or
`LDAP_SEED_SCHEMA_PATH`. If set this will copy any *.ldif or *.schema file
into the default seeding directories of this image.
## TLS
### Auto-generated certificate
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
`podman run --hostname ldap.example.org ...`
### Own certificate
You can set your custom certificate at run time, by mounting a volume with the
certificates into the container and adjusting the following environment variables:
```sh
podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
```
The variables `LDAP_TLS_CA_CRT`, `LDAP_TLS_CRT` and `LDAP_TLS_KEY` are stored
during the first start of the container in the LDAP configuration. Changes to
the variables on further starts will have no affect.
An example with certificates from `Let's Encrypt`:
```sh
podman run -v /etc/letsencrypt:/etc/letsencrypt \
-e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
-e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
-e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
-d registry.opensuse.org/opensuse/openldap:latest
```
### Disable TLS
Add --env LDAP_TLS=0 to the run command: `podman run -e LDAP_TLS=0 ...`
## Supported environment variables:
### Generic variables:
- `DEBUG=[0|1]` Enables "set -x" in the entrypoint script
- `TZ` Timezone to use in the container
### Variables for new database:
- `LDAP_DOMAIN` Ldap domain. Defaults to `example.org`
- `LDAP_BASE_DN` Ldap base DN. If empty automatically set from `LDAP_DOMAIN` value. Defaults to (`empty`)
- `LDAP_ORGANIZATION` Organization name. Defaults to `Example Inc.`
- `LDAP_ADMIN_PASSWORD` Ldap admin password. It's required to supply one if no database exists at startup.
- `LDAP_CONFIG_PASSWORD` Ldap config password. It's required to supply one if no database exists at startup.
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `LDAP_SEED_LDIF_PATH` Path with additional ldif files which will be loaded
- `LDAP_SEED_SCHEMA_PATH` Path with additional schema which will be loaded
### Variables for TLS:
- `LDAP_TLS=[1|0]` Enable TLS. Defaults to `1` (true).
- `LDAP_TLS_CA_CRT` LDAP ssl CA certificate. Defaults to `/etc/openldap/certs/openldap-ca.crt`.
- `LDAP_TLS_CA_KEY` Private LDAP CA key. Defaults to `/etc/openldap/certs/openldap-ca.key`.
- `LDAP_TLS_CRT` LDAP ssl certificate. Defaults to `/etc/openldap/certs/tls.crt`.
- `LDAP_TLS_KEY` Private LDAP ssl key. Defaults to `/etc/openldap/certs/tls.key`.
- `LDAP_TLS_DH_PARAM` LDAP ssl certificate dh param file.
- `LDAP_TLS_ENFORCE=[0|1]` Enforce TLS but except ldapi connections. Defaults to `0` (false).
- `LDAP_TLS_CIPHER_SUITE` TLS cipher suite.
- `LDAP_TLS_VERIFY_CLIENT` TLS verify client. Defaults to `demand`.
### Various configuration variables:
- `LDAP_NOFILE` Number of open files (ulimt -n), default `1024`
- `LDAP_PORT` Port for ldap:///, defaults to `389`
- `LDAPS_PORT` Port for ldaps:///, defaults to `636`
- `LDAPI_URL` Ldapi url, defaults to `ldapi:///run/slapd/ldapi`
- `LDAP_UID` UID of ldap user. All LDAP related files will be changed to this UID
- `LDAP_GID` GID of ldap group. All LDAP related files will be changed to this GID
- `LDAP_BACKEND` Database backend, defaults to `mdb`
- `SLAPD_LOG_LEVEL` Slapd debug devel, defaults to `0`
- `SETUP_FOR_MAILSERVER` The mail organization will be created (ldif/mailserver/), defaults to `0`
## Data persistence volumes
- `/etc/openldap/certs` TLS certificates for slapd
- `/etc/openldap/slapd.d` Slapd configuration files
- `/var/lib/ldap` OpenLDAP database
View Git Blame Copy Permalink