osixia / docker-openldap Goto Github PK

View Code? Open in Web Editor NEW

4.0K 92.0 971.0 918 KB

OpenLDAP container image 🐳🌴

License: MIT License

Makefile 3.71% Shell 88.37% Dockerfile 7.26% Smarty 0.66%

docker openldap docker-image ldap-server ldap-database ldap

docker-openldap's Introduction

osixia/openldap

Latest release: 1.5.0 - OpenLDAP 2.4.57 - Changelog | Docker Hub

A docker image to run OpenLDAP.

OpenLDAP website : www.openldap.org

osixia/openldap

Contributing

If you find this image useful here's how you can help:

Send a pull request with your kickass new features and bug fixes
Help new users with issues they may encounter
Support the development of this image and star this repo !

Quick Start

Run OpenLDAP docker image:

docker run --name my-openldap-container --detach osixia/openldap:1.5.0

Do not forget to add the port mapping for both port 389 and 636 if you wish to access the ldap server from another machine.

docker run -p 389:389 -p 636:636 --name my-openldap-container --detach osixia/openldap:1.5.0

Either command starts a new container with OpenLDAP running inside. Let's make the first search in our LDAP container:

docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

This should output:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

[...]

# numResponses: 3
# numEntries: 2

If you have the following error, OpenLDAP is not started yet, maybe you are too fast or maybe your computer is too slow, as you want... but wait for some time before retrying.

	ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Beginner Guide

Create new ldap server

This is the default behavior when you run this image. It will create an empty ldap for the company Example Inc. and the domain example.org.

By default the admin has the password admin. All those default settings can be changed at the docker command line, for example:

docker run \
	--env LDAP_ORGANISATION="My Company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD="JonSn0w" \
	--detach osixia/openldap:1.5.0

Data persistence

The directories /var/lib/ldap (LDAP database files) and /etc/ldap/slapd.d (LDAP config files) are used to persist the schema and data information, and should be mapped as volumes, so your ldap files are saved outside the container (see Use an existing ldap database). However it can be useful to not use volumes, in case the image should be delivered complete with test data - this is especially useful when deriving other images from this one.

The default uid and gid used by the image may map to surprising counterparts in the host. If you need to match uid and gid in the container and in the host, you can use build parameters LDAP_OPENLDAP_UID and LDAP_OPENLDAP_GID to set uid and gid explicitly:

docker build \
	--build-arg LDAP_OPENLDAP_GID=1234 \
	--build-arg LDAP_OPENLDAP_UID=2345 \
	-t my_ldap_image .
docker run --name my_ldap_container -d my_ldap_image
# this should output uid=2345(openldap) gid=1234(openldap) groups=1234(openldap)
docker exec my_ldap_container id openldap

For more information about docker data volume, please refer to:

https://docs.docker.com/engine/tutorials/dockervolumes/

Firewall issues on RHEL/CentOS

Docker Engine doesn't work well with firewall-cmd and can cause issues if you're connecting to the LDAP server from another container on the same machine. You can fix this by running:

$ firewall-cmd --add-port=389/tcp --permanent
$ firewall-cmd --add-port=636/tcp --permanent
$ firewall-cmd --reload

Learn more about this issue at moby/moby#32138

Edit your server configuration

Do not edit slapd.conf it's not used. To modify your server configuration use ldap utils: ldapmodify / ldapadd / ldapdelete

Seed ldap database with ldif

This image can load ldif files at startup with either ldapadd or ldapmodify. Mount .ldif in /container/service/slapd/assets/config/bootstrap/ldif directory if you want to overwrite image default bootstrap ldif files or in /container/service/slapd/assets/config/bootstrap/ldif/custom (recommended) to extend image config.

Files containing changeType: attributes will be loaded with ldapmodify.

The startup script provides some substitutions in bootstrap ldif files. Following substitutions are supported:

{{ LDAP_BASE_DN }}
{{ LDAP_BACKEND }}
{{ LDAP_DOMAIN }}
{{ LDAP_READONLY_USER_USERNAME }}
{{ LDAP_READONLY_USER_PASSWORD_ENCRYPTED }}

Other {{ * }} substitutions are left unchanged.

Since startup script modifies ldif files, you must add --copy-service argument to entrypoint if you don't want to overwrite them.

# single file example:
docker run \
	--volume ./bootstrap.ldif:/container/service/slapd/assets/config/bootstrap/ldif/50-bootstrap.ldif \
	osixia/openldap:1.5.0 --copy-service

# directory example:
docker run \
	--volume ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom \
	osixia/openldap:1.5.0 --copy-service

Seed from internal path

This image can load ldif and schema files at startup from an internal path. Additionally, certificates can be copied from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.

For example: Gitlab is not capable of mounting custom paths into docker services of a ci job, but Gitlab automatically mounts the working copy in every service container. So the working copy (sources) are accessible under /builds in every services of a ci job. The path to the working copy can be obtained via ${CI_PROJECT_DIR}. See also: https://docs.gitlab.com/runner/executors/docker.html#build-directory-in-service

This may also work with other CI services, if they automatically mount the working directory to the services of a ci job like Gitlab ci does.

In order to seed ldif or schema files from internal path you must set the specific environment variable LDAP_SEED_INTERNAL_LDIF_PATH and/or LDAP_SEED_INTERNAL_SCHEMA_PATH. If set this will copy any files in the specified directory into the default seeding directories of this image.

Example variables defined in gitlab-ci.yml:

variables:
  LDAP_SEED_INTERNAL_LDIF_PATH: "${CI_PROJECT_DIR}/docker/openldap/ldif"
  LDAP_SEED_INTERNAL_SCHEMA_PATH: "${CI_PROJECT_DIR}/docker/openldap/schema"

Also, certificates can be used by the internal path. The file, specified in a variable, will be copied in the default certificate directory of this image. If desired, you can use these with the LDAP_TLS_CRT_FILENAME, LDAP_TLS_KEY_FILENAME, LDAP_TLS_CA_CRT_FILENAME and LDAP_TLS_DH_PARAM_FILENAME to set a different filename in the default certificate directory of the image.

variables:
    LDAP_SEED_INTERNAL_LDAP_TLS_CRT_FILE: "${CI_PROJECT_DIR}/docker/certificates/certs/cert.pem"
    LDAP_SEED_INTERNAL_LDAP_TLS_KEY_FILE: "${CI_PROJECT_DIR}/docker/certificates/certs/key.pem"
    LDAP_SEED_INTERNAL_LDAP_TLS_CA_CRT_FILE: "${CI_PROJECT_DIR}/docker/certificates/ca/ca.pem"
    LDAP_SEED_INTERNAL_LDAP_TLS_DH_PARAM_FILE: "${CI_PROJECT_DIR}/certificates/dhparam.pem"

Use an existing ldap database

This can be achieved by mounting host directories as volume. Assuming you have a LDAP database on your docker host in the directory /data/slapd/database and the corresponding LDAP config files on your docker host in the directory /data/slapd/config simply mount this directories as a volume to /var/lib/ldap and /etc/ldap/slapd.d:

docker run \
	--volume /data/slapd/database:/var/lib/ldap \
	--volume /data/slapd/config:/etc/ldap/slapd.d \
	--detach osixia/openldap:1.5.0

You can also use data volume containers. Please refer to:

https://docs.docker.com/engine/tutorials/dockervolumes/

Note: By default this image is waiting an mdb database backend, if you want to use any other database backend set backend type via the LDAP_BACKEND environment variable.

Backup

A simple solution to backup your ldap server, is our openldap-backup docker image:

osixia/openldap-backup

Administrate your ldap server

If you are looking for a simple solution to administrate your ldap server you can take a look at our phpLDAPadmin docker image:

osixia/phpldapadmin

TLS

Use auto-generated certificate

By default, TLS is already configured and enabled, certificate is created using container hostname (it can be set by docker run --hostname option eg: ldap.example.org).

docker run --hostname ldap.my-company.com --detach osixia/openldap:1.5.0

Use your own certificate

You can set your custom certificate at run time, by mounting a directory containing those files to /container/service/slapd/assets/certs and adjust their name with the following environment variables:

docker run \
	--hostname ldap.example.org \
	--volume /path/to/certificates:/container/service/slapd/assets/certs \
	--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
	--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
	--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
	--detach osixia/openldap:1.5.0

Other solutions are available please refer to the Advanced User Guide

Disable TLS

Add --env LDAP_TLS=false to the run command:

docker run --env LDAP_TLS=false --detach osixia/openldap:1.5.0

Multi master replication

Quick example, with the default config.

#Create the first ldap server, save the container id in LDAP_CID and get its IP:
LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.5.0)
LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)

#Create the second ldap server, save the container id in LDAP2_CID and get its IP:
LDAP2_CID=$(docker run --hostname ldap2.example.org --env LDAP_REPLICATION=true --detach osixia/openldap:1.5.0)
LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)

#Add the pair "ip hostname" to /etc/hosts on each containers,
#because ldap.example.org and ldap2.example.org are fake hostnames
docker exec $LDAP_CID bash -c "echo $LDAP2_IP ldap2.example.org >> /etc/hosts"
docker exec $LDAP2_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"

That's it! But a little test to be sure:

Add a new user "billy" on the first ldap server

docker exec $LDAP_CID ldapadd -x -D "cn=admin,dc=example,dc=org" -w admin -f /container/service/slapd/assets/test/new-user.ldif -H ldap://ldap.example.org -ZZ

Search on the second ldap server, and billy should show up!

docker exec $LDAP2_CID ldapsearch -x -H ldap://ldap2.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -ZZ

[...]

# billy, example.org
dn: uid=billy,dc=example,dc=org
uid: billy
cn: billy
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
[...]

Fix docker mounted file problems

You may have some problems with mounted files on some systems. The startup script try to make some file adjustment and fix files owner and permissions, this can result in multiple errors. See Docker documentation.

To fix that run the container with --copy-service argument :

	docker run [your options] osixia/openldap:1.5.0 --copy-service

Debug

The container default log level is info. Available levels are: none, error, warning, info, debug and trace.

Example command to run the container in debug mode:

docker run --detach osixia/openldap:1.5.0 --loglevel debug

See all command line options:

docker run osixia/openldap:1.5.0 --help

Environment Variables

Environment variables defaults are set in image/environment/default.yaml and image/environment/default.startup.yaml.

See how to set your own environment variables

Default.yaml

Variables defined in this file are available at anytime in the container environment.

General container configuration:

LDAP_LOG_LEVEL: Slap log level. defaults to 256. See table 5.1 in https://www.openldap.org/doc/admin24/slapdconf2.html for the available log levels.

Default.startup.yaml

Variables defined in this file are only available during the container first start in startup files. This file is deleted right after startup files are processed for the first time, then all of these values will not be available in the container environment.

This helps to keep your container configuration secret. If you don't care all environment variables can be defined in default.yaml and everything will work fine.

Required and used for new ldap server only:

LDAP_ORGANISATION: Organisation name. Defaults to Example Inc.
LDAP_DOMAIN: Ldap domain. Defaults to example.org
LDAP_BASE_DN: Ldap base DN. If empty automatically set from LDAP_DOMAIN value. Defaults to (empty)
LDAP_ADMIN_PASSWORD Ldap Admin password. Defaults to admin
LDAP_CONFIG_PASSWORD Ldap Config password. Defaults to config
LDAP_READONLY_USER Add a read only user. Defaults to false

Note: The read only user does have write access to its own password.
LDAP_READONLY_USER_USERNAME Read only user username. Defaults to readonly
LDAP_READONLY_USER_PASSWORD Read only user password. Defaults to readonly
LDAP_RFC2307BIS_SCHEMA Use rfc2307bis schema instead of nis schema. Defaults to false

Backend:

LDAP_BACKEND: Ldap backend. Defaults to mdb (previously hdb in image versions up to v1.1.10)

Help: https://www.openldap.org/doc/admin24/backends.html

TLS options:

LDAP_TLS: Add openldap TLS capabilities. Can't be removed once set to true. Defaults to true.
LDAP_TLS_CRT_FILENAME: Ldap ssl certificate filename. Defaults to ldap.crt
LDAP_TLS_KEY_FILENAME: Ldap ssl certificate private key filename. Defaults to ldap.key
LDAP_TLS_DH_PARAM_FILENAME: Ldap ssl certificate dh param file. Defaults to dhparam.pem
LDAP_TLS_CA_CRT_FILENAME: Ldap ssl CA certificate filename. Defaults to ca.crt
LDAP_TLS_ENFORCE: Enforce TLS but except ldapi connections. Can't be disabled once set to true. Defaults to false.
LDAP_TLS_CIPHER_SUITE: TLS cipher suite. Defaults to SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC, based on Red Hat's TLS hardening guide
LDAP_TLS_VERIFY_CLIENT: TLS verify client. Defaults to demand

Help: https://www.openldap.org/doc/admin24/tls.html

Replication options:

LDAP_REPLICATION: Add openldap replication capabilities. Possible values : true, false, own. Defaults to false. Setting this to own allow to provide own replication settings via custom bootstrap ldifs.
LDAP_REPLICATION_CONFIG_SYNCPROV: olcSyncRepl options used for the config database. Without rid and provider which are automatically added based on LDAP_REPLICATION_HOSTS. Defaults to binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
LDAP_REPLICATION_DB_SYNCPROV: olcSyncRepl options used for the database. Without rid and provider which are automatically added based on LDAP_REPLICATION_HOSTS. Defaults to binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
LDAP_REPLICATION_HOSTS: list of replication hosts, must contain the current container hostname set by --hostname on docker run command. Defaults to :
```
- ldap://ldap.example.org
- ldap://ldap2.example.org
```
If you want to set this variable at docker run command add the tag #PYTHON2BASH: and convert the yaml in python:
```
  docker run --env LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']" --detach osixia/openldap:1.5.0
```
To convert yaml to python online: https://yaml-online-parser.appspot.com/

Other environment variables:

KEEP_EXISTING_CONFIG: Do not change the ldap config. Defaults to false
- if set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run. The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data.
- if set to true when bootstrapping a new database, bootstrap ldif and schema will not be added and tls and replication config will not be run.
LDAP_REMOVE_CONFIG_AFTER_SETUP: delete config folder after setup. Defaults to true
LDAP_SSL_HELPER_PREFIX: ssl-helper environment variables prefix. Defaults to ldap, ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
HOSTNAME: set the hostname of the running openldap server. Defaults to whatever docker creates.
DISABLE_CHOWN: do not perform any chown to fix file ownership. Defaults to false
LDAP_OPENLDAP_UID: runtime docker user uid to run container as
LDAP_OPENLDAP_GID: runtime docker user gid to run container as

Set your own environment variables

Use command line argument

Environment variables can be set by adding the --env argument in the command line, for example:

docker run \
	--env LDAP_ORGANISATION="My company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD="JonSn0w" \
	--detach osixia/openldap:1.5.0

Be aware that environment variable added in command line will be available at any time in the container. In this example if someone manage to open a terminal in this container he will be able to read the admin password in clear text from environment variables.

Link environment file

For example if your environment files my-env.yaml and my-env.startup.yaml are in /data/ldap/environment

docker run \
	--volume /data/ldap/environment:/container/environment/01-custom \
	--detach osixia/openldap:1.5.0

Take care to link your environment files folder to /container/environment/XX-somedir (with XX < 99 so they will be processed before default environment files) and not directly to /container/environment because this directory contains predefined baseimage environment files to fix container environment (INITRD, LANG, LANGUAGE and LC_CTYPE).

Note: the container will try to delete the *.startup.yaml file after the end of startup files so the file will also be deleted on the docker host. To prevent that : use --volume /data/ldap/environment:/container/environment/01-custom**:ro** or set all variables in *.yaml file and don't use *.startup.yaml:

docker run \
	--volume /data/ldap/environment/my-env.yaml:/container/environment/01-custom/env.yaml \
	--detach osixia/openldap:1.5.0

Docker Secrets

As an alternative to passing sensitive information via environmental variables, _FILE may be appended to the listed variables, causing the startup.sh script to load the values for those values from files presented in the container. This is particular useful for loading passwords using the Docker secrets mechanism. For example:

docker run \
	--env LDAP_ORGANISATION="My company" \
	--env LDAP_DOMAIN="my-company.com" \
	--env LDAP_ADMIN_PASSWORD_FILE=/run/secrets/ \
	authentication_admin_pw \
	--detach osixia/openldap:1.2.4

Currently this is only supported for LDAP_ADMIN_PASSWORD, LDAP_CONFIG_PASSWORD, LDAP_READONLY_USER_PASSWORD

Make your own image or extend this image

This is the best solution if you have a private registry. Please refer to the Advanced User Guide just below.

Advanced User Guide

Extend osixia/openldap:1.5.0 image

If you need to add your custom TLS certificate, bootstrap config or environment files the easiest way is to extends this image.

Dockerfile example:

FROM osixia/openldap:1.5.0
LABEL maintainer="Your Name <[email protected]>"

ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom

See complete example in example/extend-osixia-openldap

Warning: if you want to install new packages from debian repositories, this image has a configuration to prevent documentation and locales to be installed. If you need the doc and locales remove the following files : /etc/dpkg/dpkg.cfg.d/01_nodoc and /etc/dpkg/dpkg.cfg.d/01_nolocales

Make your own openldap image

Clone this project:

git clone https://github.com/osixia/docker-openldap
cd docker-openldap

Adapt Makefile, set your image NAME and VERSION, for example:

NAME = osixia/openldap
VERSION = 1.1.9

become:

NAME = cool-guy/openldap
VERSION = 0.1.0

Add your custom certificate, bootstrap ldif and environment files...

Build your image:

make build

Run your image:

docker run --detach cool-guy/openldap:0.1.0

Tests

We use Bats (Bash Automated Testing System) to test this image:

https://github.com/bats-core/bats-core

Install Bats, and in this project directory run:

make test

Kubernetes

Kubernetes is an open source system for managing containerized applications across multiple hosts, providing basic mechanisms for deployment, maintenance, and scaling of applications.

More information:

osixia-openldap kubernetes examples are available in example/kubernetes

Under the hood: osixia/light-baseimage

This image is based on osixia/light-baseimage. It uses the following features:

ssl-tools service to generate tls certificates
log-helper tool to print log messages based on the log level
run tool as entrypoint to init the container environment

To fully understand how this image works take a look at: https://github.com/osixia/docker-light-baseimage

Security

If you discover a security vulnerability within this docker image, please send an email to the Osixia! team at [email protected]. For minor vulnerabilities feel free to add an issue here on github.

Please include as many details as possible.

Known security issues

OpenLDAP on debian creates two admin users with the same password, if you changed admin password after bootstrap you may be concerned by issue #161.

Changelog

Please refer to: CHANGELOG.md

docker-openldap's People

Contributors

Stargazers

Watchers

Forkers

peterrosell bskaggs dmitryint edb-gjengen nimblic tuksik frenchbeard zaraki673 clark42 t5unamie dan-orangespecs cknitt dlenen omalave cbioley razeen dexter-xiong cmaoling zuzkins maknihamdi fup jnummelin mdimjasevic sunil-kumar3 wildone wrouesnel dengshuan bcbroussard brandonsdavis bwits enslab gibby baykovr acaranta melan kjella danfitch mizunashi-mana bdurrow oeuftete clubcedille brin100 kevin-bennett-ags curx jamiejoin aharpour pieterlange elisescu mbettan lominicar kevkha th3architect herve0520 chicagozer leknarm mkumatag seatek martenscs thinhnd8752 dell- danielpanteleit ngodfraind esperdyne igormilovanovic evasomething jgehrcke infinityhacks peay lalamove lflxp wonderslug frootdock prince-mishra jenspiegsa cctb-it-wuerzburg alexander-vc bernardolins jhiner yuduy tuqc crypt1d snitram matthewfincher bryantidd xucaiyong mickelsonm jntnl42 johnamurray bryce-gibson fir4 wzymaster okamuroshogo ahromis jstrittmatter n0needt0 uchenm zenaptix-lab hmeza burnerdocker brndls

docker-openldap's Issues

Memberof not configured on first boot

I see a LDIF file that configures the memberof overlay on first boot, but the overlay does not seem to actually be working when groups and users are created. Is this a bug or have I missed something in the configuration? I've never configured the overlay myself before so please forgive me if I am misunderstanding.

Quick howto is wrong?

Hi,

I am testing this image right now and I found one error (maybe I am doing something wrong), but when I run ldapsearch, I get this error:

# docker exec -it openldap ldapsearch -x -h localhost -b dc=example,dc=net -D "cn=admin,dc=example,dc=net" -w admin ldap_bind: Invalid credentials (49)

But when I run it as this, it works (from host to container):
ldapsearch -x -h 172.17.0.8 -b dc=example,dc=net -D "cn=admin,dc=example,dc=net" -W admin

So I think command in howto should looks like this:
docker exec -it openldap ldapsearch -x -h localhost -b dc=example,dc=net -D "cn=admin,dc=example,dc=net" -W admin

kudos!

Kudos for this image, very rarely seen an image being that well designed!

ldap_modify: error (80)

I got ldap_modify: Other (e.g., implementation specific) error (80) error during startup with godaddy certificate
I start the container by

docker run -d -v $HOME/certs:/container/service/slapd/assets/certs \
    -h ldap.mycompany.com \
    --name=ldap \
    -e LDAP_TLS_CRT_FILENAME=425ddb461b040d25.crt \
    -e LDAP_TLS_KEY_FILENAME=mycompany_com.key \
    -e LDAP_TLS_CA_CRT_FILENAME=gd_bundle-g2-g1.crt \
    -e LDAP_ORGANISATION="My Company Inc." \
    -e LDAP_DOMAIN="mycompany.com" \
    osixia/openldap:1.0.9

but it exited with status 80. Here are the logs where it fails:

Use TLS
Files /container/service/slapd/assets/certs/425ddb461b040d25.crt and /container/service/slapd/assets/certs/planetmeican_com.key already exists
ldap_modify: Other (e.g., implementation specific) error (80)
modifying entry "cn=config"

*** /etc/my_init.d/slapd failed with status 80

*** Killing all processes...

At first i tried to use a self-signed certificate generated by openssl, but it seems that this image uses gnu-tls, and they're incompatible, so it doesn't work. After that i used certificate generated by this image, that works.
but when i changed to godaddy certificate, i got this error. I even tried to replace gnutls with openssl in dockerfile and container-start.sh and rebuild the image, but got the same error

Create a new user in example.org with objectClass user and objectCategory person

I am using osixia/openldap 1.1.2 as my ldap server. I need to add a new user entry with the following attributes-
objectClass: user
objectCategory: person

What are the steps to create this new entry?

OpenLdap container won't start when dhparam.pem is missing in bound volume

Docker output:

Creating docker_openldap_1...
Attaching to docker_openldap_1
openldap_1 | Execute /container/tool/py_tool/my_init --single-process
openldap_1 | *** Running /etc/my_init.d/slapd...
openldap_1 | Files /container/service/slapd/assets/ssl/ldap.foobar.com.crt.pem and /container/service/slapd/assets/ssl/ldap.foobar.com.key.pem already exists
openldap_1 | /etc/my_init.d/slapd: line 50: openssl: command not found
openldap_1 | *** /etc/my_init.d/slapd failed with status 127
openldap_1 | 
docker_openldap_1 exited with code 1
Gracefully stopping... (press Ctrl+C again to force)

Sample config:

openldap:
    image: osixia/openldap
    hostname: ldap
    domainname: ldap.foobar.com
    environment:
        - LDAP_ORGANISATION=foobar
        - LDAP_DOMAIN=ldap.foobar.com
        - LDAP_ADMIN_PASSWORD=admin
        - LDAP_CONFIG_PASSWORD=config
        - USE_TLS=true
        - SSL_CRT_FILENAME=ldap.foobar.com.crt.pem
        - SSL_KEY_FILENAME=ldap.foobar.com.key.pem
        - SSL_CA_CRT_FILENAME=ca_foobar.com.crt.pem
    ports:
        - "389:389"
        - "636:636"
    volumes:
        - /data/slapd/database:/var/lib/ldap
        - /data/slapd/config:/etc/ldap/slapd.d
        - /data/slapd/ssl:/osixia/slapd/ssl
        - /data/slapd/ssl:/container/service/slapd/assets/ssl

I see that you check for openssl in https://github.com/osixia/docker-light-baseimage/blob/stable/image/service-available/ssl-helper/assets/tool/ssl-helper.sh

  # OPENSSL
  if [ "$USE_OPENSSL" = true ] ; then
    echo "-> Using openssl"

    ### check for openssl ###

    # create DHParamFile if not found
    [ -f /container/service/slapd/assets/ssl/dhparam.pem ] || openssl dhparam -out /container/service/slapd/assets/ssl/dhparam.pem 2048

P.S. thanks for this very useful container!

schema update

I am tryign to update the schema via running the following command inside the container.

ldapadd -Y EXTERNAL -H ldapi:/// -f temp/cn=config/cn=schema/cn={0}pwm.ldif -d1
{code}
output -
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/slapd/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_close_socket: 4
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
{code}

This is as instructed from - From the doc /usr/share/doc/slapd/README.Debian.gz used for the apt-get install of slapd service.

I tracked this down with the help of others to the fact that the service is being started without the ldapi:/// value

{code}

ps aux | grep slapd
root 13 0.0 0.0 168 40 ? Ss 17:16 0:00 runsv slapd
openldap 22 0.0 4.8 566188 370320 ? Ssl 17:16 0:00 /usr/sbin/slapd -h ldap:/// -u openldap -g openldap
root 1640 0.0 0.0 8748 200 ? R+ 17:43 0:00 grep --color=auto slapd
{code}

further tracking down shows that the servcie is started using the following script.

https://github.com/osixia/docker-baseimage/blob/stable/image/bin/my_init

Which then triggers

https://github.com/osixia/docker-openldap/blob/stable/image/service/slapd/daemon.sh

Created a pull request for minor change
#5

Was hoping you would be willing to make this live so I can update schema of the database.
think I might need to hack the container as I am using an older image because of another ticket.

Update light-baseimage version to 0.2.3 in Dockerfile

Update light-baseimage version to 0.2.3 in Dockerfile as it is already available in the light-baseimage repo.

How to configure a master multi-slave?

Here is my script:

`#!/bin/bash
LDAP_CID=$(docker run --hostname ldap.example.org --env LDAP_REPLICATION=true --env LDAP_REPLICATION_HOSTS="['ldap://ldap.example.com','ldap://ldap1.example.com
', 'ldap://ldap2.example.com']" --detach osixia/openldap:1.1.2)
LDAP_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP_CID)

LDAP1_CID=$(docker run --hostname ldap1.example.org --detach osixia/openldap:1.1.2)
LDAP1_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP1_CID)

LDAP2_CID=$(docker run --hostname ldap2.example.org --detach osixia/openldap:1.1.2)
LDAP2_IP=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" $LDAP2_CID)

LDAP_CID MASTER

docker exec $LDAP_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"
docker exec $LDAP_CID bash -c "echo $LDAP1_IP ldap1.example.org >> /etc/hosts"
docker exec $LDAP_CID bash -c "echo $LDAP2_IP ldap2.example.org >> /etc/hosts"

LDAP1_CID SLAVE

docker exec $LDAP1_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"

LDAP2_CID SLAVE

docker exec $LDAP2_CID bash -c "echo $LDAP_IP ldap.example.org >> /etc/hosts"`

When I execute the following command such a mistake, I ask where the configuration is not correct?

docker exec $LDAP_CID ldapsearch -x -h ldap.example.org -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -ZZ ldap_start_tls: Can't contact LDAP server (-1)

@ofreax @osixia
Please help me to write, thank you very much

Repeat run image - problem

Hello,
This image work not correct if his to use again. (run -> stop/rm -> run). He again adjust Ldap Server. I had seemed this not need.

May be need to make:

FIRST_START_DONE="/etc/ldap/slapd.d/slapd-first-start-done"
or checking on exist file "cn=config.ldif"

Problem:
I create instance with:

own TLS settings
external volumes: /var/lib/ldap and /etc/ldap/slapd.d and /container/environment/01-custom
Then I stop and remove his.

Then I create second instance (run), he:

generate certificate again
reset TLS settings on default

Getting server-side TLS logs

Hi there,

First things first: thanks a lot for a great docker project. Saved me tons of time and really easy to use (especially with the phpldapadmin project counterpart !).

I'm struggling with connecting over ldaps from a Java client (works better with openssl s_client) and would like to get the detailed handshake trace on the ldap side. Any recommendation on how I can achieve that ? (I'm stuck at getting any log from the container itself)

Thanks a lot,
Nicolas

P.S.: my Java client is failing during handshake, server is closing the connection for some reason (any ideas are welcome)

localhost-startStop-1, received EOFException: error
localhost-startStop-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

TLS negotiation failure after disabling TLS

I am trying to connect an application with the ldap server based on image oxisia/docker-openldap 1.1.2 . My application uses SSL 3.0, and the ldap server is TLS. So it was giving me TLS Issue: Could not negotiate a supported cipher suite. However, I disabled the TLS with the steps you mentioned in #17
But now when I run my application with the server, it complains (TLS negotiation failure).

logs.txt

Kindly help

pwdPolicy not enabled

Does ppolicy work with this? Im having trouble including an ldif that includes

objectClass: pwdPolicy

Error:
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax

Docker Compose compilation of options

This project looks promising! I'm thinking it will work as part of another project I'm working on.

I'm suggesting the project create and commit a docker-compose.yml with image references to automated Docker Hub builds providing examples of environment variables and container name for users wishing to both deploy the pre-built images or build them locally.

Instead of providing one-off examples of docker run commands, provide your suggested "defined infrastructure" setup by way of a docker-compose.yml file.

I'm thinking something link this might be an example?

ldap + kerberos integration

I need to achieve ldap + kerberos integration.
Currently I'm following: https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html
however I'm stuck, there seems to be missing file: /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz.

Running:

apt-get update && apt-get upgrade -yy && apt-get install -yy  krb5-kdc-ldap && ls -l /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz

Inside the container: osixia/openldap:1.1.2 there is no such file. Any idea why it is so?

however if I ran:

apt-get update && apt-get install -yy apt-file && apt-file update && apt-file list krb5-kdc-ldap

I see:

krb5-kdc-ldap: /etc/insserv/overrides/krb5-kdc
krb5-kdc-ldap: /lib/systemd/system/krb5-admin-server.service.d/slapd-before-kdc.conf
krb5-kdc-ldap: /lib/systemd/system/krb5-kdc.service.d/slapd-before-kdc.conf
krb5-kdc-ldap: /usr/lib/x86_64-linux-gnu/krb5/libkdb_ldap.so.1
krb5-kdc-ldap: /usr/lib/x86_64-linux-gnu/krb5/libkdb_ldap.so.1.0
krb5-kdc-ldap: /usr/lib/x86_64-linux-gnu/krb5/plugins/kdb/kldap.so
krb5-kdc-ldap: /usr/sbin/kdb5_ldap_util
krb5-kdc-ldap: /usr/share/doc/krb5-kdc-ldap/NEWS.Debian.gz
krb5-kdc-ldap: /usr/share/doc/krb5-kdc-ldap/changelog.Debian.gz
krb5-kdc-ldap: /usr/share/doc/krb5-kdc-ldap/copyright
krb5-kdc-ldap: /usr/share/doc/krb5-kdc-ldap/kerberos.ldif.gz
krb5-kdc-ldap: /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
krb5-kdc-ldap: /usr/share/man/man8/kdb5_ldap_util.8.gz

moreover, if I ran the command inside the debian:jessie docker container:

   apt-get update && apt-get upgrade -yy && apt-get install -yy  krb5-kdc-ldap && ls -l /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz

I can see the file present.

Why is it so?

Huge log

The container seems to generate huge amount of logs!
/var/lib/docker/containers/<container_id>/<container_id>-json.log
And since docker has problems with logging / memory usage it takes it(docker) all down.
Is there a way to log to syslog rather than to stdout/stderr?

Re-running container with volumes won't start

If I re run the container with exposed volumes it never starts up. In the log for the container I get this
*** Running /etc/my_init.d/slapd...
Starting openldap...
*** /etc/my_init.d/slapd failed with status 1

*** Killing all processes..

starting from old data

Hi there,

I am starting a container using the following docker run command.

docker run --name openldap -d --restart always -p 389:389 -v /opt/data/ldap/db:/var/lib/ldap -v /opt/data/ldap/config:/etc/ldap/slapd.d -v /opt/data/ldap/ssl/:/osixia/slapd/ssl/ -e LDAP_DOMAIN=example.com -e LDAP_ORGANISATION="example" -e SERVER_NAME="example.com" -e SSL_CRT_FILENAME=ldap.crt -e SSL_KEY_FILENAME=ldap.key -e SSL_CA_CRT_FILENAME=ca.crt osixia/openldap

This command works fine, however if I remove the container. using docker rm -f and try to the same docker run command above. The following issue occurs.

{code}
*** Killing all processes...
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/slapd...
Files /osixia/slapd/ssl/ldap.crt and /osixia/slapd/ssl/ldap.key already exists
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCipherSuite: no equality matching rule
modifying entry "cn=config"

*** /etc/my_init.d/slapd failed with status 18

*** Killing all processes...
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/slapd...
Files /osixia/slapd/ssl/ldap.crt and /osixia/slapd/ssl/ldap.key already exists
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcTLSCipherSuite: no equality matching rule
modifying entry "cn=config"
{code}

this suggest mounting out the config causes issue during the rebuild of a server using the same configuration on another server,

This seems to differ from the implementation in 0.9.1 where is was possible to simply move a server from one docker server to another as long as you had the data files.

Regards

John

slapd tcp bind is network not interface, and so does not respond on overlay networks

I am using an rancher for docker orchestration. It adds an overlay network... an alias IP on the docker network interface. http://docs.rancher.com/rancher/concepts/#networking

The issue is that the service startup binds to specific IP addresses, and is not listening on the overlay IP address

the process is started:

exec /usr/sbin/slapd -h "ldap://$HOSTNAME ldaps://$HOSTNAME ldap://localhost ldaps://localhost ldapi:///" -u openldap -g openldap -d $LDAP_LOG_LEVEL

which gives me:

root@ldap_1:/# netstat -nlp                                           
Active Internet connections (only servers)                                      
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name                                                                
tcp        0      0 127.0.0.1:636           0.0.0.0:*               LISTEN      
tcp        0      0 172.17.0.5:636          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN      
tcp        0      0 172.17.0.5:389          0.0.0.0:*               LISTEN      
tcp6       0      0 ::1:636                 :::*                    LISTEN      
tcp6       0      0 ::1:389                 :::*                    LISTEN

I have the following addresses on the docker interface:

root@ldap_1:/# ip addr show dev eth0                                  
40: eth0@if41: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
 group default                                                                  
    link/ether 02:95:3f:7b:35:1c brd ff:ff:ff:ff:ff:ff                          
    inet 172.17.0.5/16 scope global eth0                                        
       valid_lft forever preferred_lft forever                                  
    inet 10.42.144.192/16 scope global eth0                                     
       valid_lft forever preferred_lft forever                                  
    inet6 fe80::95:3fff:fe7b:351c/64 scope link                                 
       valid_lft forever preferred_lft forever

The LDAP service does not respond on 10.42.144.192, but it does respond on 172.17.0.5.

Environnement variable LDAP_CONFIG_PASSWORD don't work ?

Hi,
I run the latest docker file using these environment variable :

sudo docker run --name openLdap -v /data/slapd/database:/var/lib/ldap -v /data/slapd/config:/etc/ldap/slapd.d -e USE_TLS=false -e VIRTUAL_HOST=ldap.comnmodel.org -e  LDAP_ORGANISATION="comnmodel" -e LDAP_DOMAIN="comnmodel.org" -e LDAP_ADMIN_PASSWORD="mypassword" -e LDAP_CONFIG_PASSWORD="mypassword"  -p 389:389 -d osixia/openldap

A simple test, without TLS, with cn=admin, it work :

ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=comnmodel,dc=org" -W

Next, i try with cn=config, password asked are same, but that don't work :

ldapsearch -x -H ldap://localhost:389 -D "cn=config,dc=comnmodel,dc=org" -W

As you can see bottom cn=config exist in my volume /data/slapd/ , perhaps the config password is not correctly set ? I try with password = config, but also, not working

├── cn=config
│   ├── cn=module{0}.ldif
│   ├── cn=schema
│   │   ├── cn={0}core.ldif
│   │   ├── cn={10}openssh-lpk.ldif
│   │   ├── cn={11}quota.ldif
│   │   ├── cn={12}mmc.ldif
│   │   ├── cn={13}mail.ldif
│   │   ├── cn={1}cosine.ldif
│   │   ├── cn={2}nis.ldif
│   │   ├── cn={3}inetorgperson.ldif
│   │   ├── cn={4}ppolicy.ldif
│   │   ├── cn={5}dnszone.ldif
│   │   ├── cn={6}radius.ldif
│   │   ├── cn={7}samba.ldif
│   │   ├── cn={8}dhcp.ldif
│   │   └── cn={9}zarafa.ldif
│   ├── cn=schema.ldif
│   ├── olcBackend={0}hdb.ldif
│   ├── olcDatabase={0}config.ldif
│   ├── olcDatabase={-1}frontend.ldif
│   └── olcDatabase={1}hdb.ldif
├── cn=config.ldif
└── docker-openldap-was-started-with-tls

Don't disable network access from outside

Currently, the install.sh script disables network access from outside:

# Enable access only from docker default network and localhost
echo "slapd: 172.17.0.0/255.255.0.0 127.0.0.1 : ALLOW" >> /etc/hosts.allow
echo "slapd: ALL : DENY" >> /etc/hosts.allow

However, it should be up to the user if he wants to make the LDAP port publicly accessible (by executing "docker run" with "-p" or "-P") or just internally (by using container linking).

Therefore, I would suggest removing this script, or at least running it optionally on container start and not hardcoded on container build.

Force resync after 1 Container was down

Hello,

i built the Master-Master replication with this guide. Works so far.
My problem is. When i stop and restart one of the container they will not sync anymore.
I tried deploying a new container. Does not work
I tried deleting the database and deploying new container. Does not work.

in the restartet one i get errors like

56b0536d slap_client_connect: URI=ldap://ldap2.pxr.de Error, ldap_start_tls failed (52)
56b0536d do_syncrepl: rid=102 rc 52 retrying

The still running one says:

56b056e7 null_callback : error code 0x50
56b056e7 syncrepl_entry: rid=001 be_modify failed (80)
56b056e7 do_syncrepl: rid=001 rc 80 retrying
56b05700 conn=1055 fd=21 ACCEPT from IP=xx.xx.xx.xx:48892 (IP=172.17.0.2:389)
56b05700 conn=1055 op=0 EXT oid=1.3.6.1.4.1.1466.20037
56b05700 conn=1055 op=0 STARTTLS
56b05700 conn=1055 op=0 RESULT oid= err=52 text=Could not initialize TLS
56b05700 conn=1056 fd=23 ACCEPT from IP=xx.xx.xx.xx:48893 (IP=172.17.0.2:389)
56b05700 conn=1056 op=0 EXT oid=1.3.6.1.4.1.1466.20037
56b05700 conn=1056 op=0 STARTTLS
56b05700 conn=1056 op=0 RESULT oid= err=52 text=Could not initialize TLS
56b05700 conn=1055 op=1 UNBIND
56b05700 conn=1055 fd=21 closed
56b05700 conn=1056 op=1 UNBIND
56b05700 conn=1056 fd=23 close

The only way to get replication working again, is to completly delete both container and databases and start new ones.

There must be a way to get them sync again without desstroying the entire database.

I found something like. "start slapd with -c and the rid" But how do i restart the slapd process when i am in the container?

Any help would be nice.

Start stop the slapd service from the image ?

Hi,

I test the connection to my ldap with :

root@e8fe2bd50c3a:~# ldapsearch -x -h localhost -b dc=comnmodel,dc=org -D "cn=admin,dc=comnmodel,dc=org" -W admin -Z

and it works.

Now i want to configure the slapd.conf with correct information, so i change info into this file, and after that i'm connect into the docker image to reload the slapd.conf. When i run a service stop on slapd, i see that the stop command doesn't stop the daemon.

Is it normal ?

Docker VOLUME is not needed to be able to stop a container without losing data

In README.md, I can read:

The directories /var/lib/ldap (LDAP database files) and /etc/ldap/slapd.d (LDAP config files) has been declared as volumes, so your ldap files are saved outside the container in data volumes.

This mean that you can stop, and restart the container and get back your ldap without losing any data.

From https://docs.docker.com/reference/builder/#volume, I learn that having a folder declared as a volume just means that Docker will create a mount point for it. Therefore, it won't be part of any of my container's layers.

It will also persist through a stop-start cycle, but so will other data:

> docker run -ti debian:jessie /bin/bash
root@c1e0e7fecb8c:/# echo Hello World > myfile
root@c1e0e7fecb8c:/# exit
> docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                     PORTS               NAMES
c1e0e7fecb8c        debian:jessie       "/bin/bash"         25 seconds ago      Exited (0) 3 seconds ago                       clever_engelbart    
> docker start clever_engelbart
clever_engelbart
> docker attach clever_engelbart
root@c1e0e7fecb8c:/# 
root@c1e0e7fecb8c:/# cat myfile 
Hello World

TLS Issue: Could not negotiate a supported cipher suite..

When I run the latest image with:

docker pull osixia/openldap
docker run -d -p 390:389 -p 636:636 -h ldap.***.com --name="ldaps" osixia/openldap

And i try to search on the directory over LDAPS with:

ldapsearch -x -h ldap.***.com -p 390 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -Z

I get to following log output and TLS negotiation failure:

55ddb430 @(#) $OpenLDAP: slapd  (Apr 12 2015 14:28:03) $
    root@chimera:/tmp/buildd/openldap-2.4.40+dfsg/debian/build/servers/slapd
TLS: warning: ignoring dhfile
55ddb431 slapd starting
55ddb43a conn=1000 fd=20 ACCEPT from IP=84.253.47.226:59879 (IP=172.17.0.185:389)
55ddb43a conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
55ddb43a conn=1000 op=0 STARTTLS
55ddb43a conn=1000 op=0 RESULT oid= err=0 text=
TLS: can't accept: Could not negotiate a supported cipher suite..
55ddb43a conn=1000 fd=20 closed (TLS negotiation failure)

I also tried to connect over ldaps:// with:

ldapsearch -x -H ldaps://ldap.***.com -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

But I got the same "Could not negotiate a supported cipher suite.." exception.
Is there anything I've done wrong or is there an issue with the image?

Unable to start container with the following invocation.

docker run --name container-ldap -p 389:389 -p 636:636 -e LDAP_ORGANISATION=ORG -e LDAP_DOMAIN=ldap.REDACTED -e LDAP_ADMIN_PASSWORD=REDACTED -v /root/docker-ldap/database:/var/lib/ldap -v /root/docker-ldap/config:/etc/ldap/slapd.d -d osixia/openldap

root@ubuntu:~/docker-ldap# docker logs nixius-ldap
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/slapd...
*** /etc/my_init.d/slapd failed with status 1

*** Killing all processes...
*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
*** Running /etc/my_init.d/slapd...
*** /etc/my_init.d/slapd failed with status 1

*** Killing all processes...

readonly user acl can not come info effect

I can not login by user _readonly_ from phpldapadmin.

Login DN: cn=readonly,dc=example,dc=com
Password: readonly

Then I build custom image after change the file _readonly-user-acl.ldif_. Anonymous login also can not read anything

--- a/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
+++ b/image/service/slapd/assets/config/bootstrap/ldif/readonly-user/readonly-user-acl.ldif
@@ -4,4 +4,4 @@ delete: olcAccess
 -
 add: olcAccess
 olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
-olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none
+olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * read

MemberOf doesn't work.

Hi everyone,
I've started to configure LDAP server with MemberOf Attributes but is not working.
I initialize my LDAP server with this LDIF file :

# Entry 6: ou=people,dc=exemple,dc=org
dn: ou=people,dc=exemple,dc=org
objectclass: organizationalUnit
objectclass: top
ou: people

# Entry 7: cn=Brice Broussolle,ou=people,dc=exemple,dc=org
dn: cn=Brice Broussolle,ou=people,dc=exemple,dc=org
cn: Brice Broussolle
displayname: Brice Broussolle
givenname: Brice
mail: [email protected]
objectclass: inetOrgPerson
objectclass: top
objectclass: person
sn: Broussolle
uid: bbroussolle
userpassword: {MD5}R3+Ui19AtM/5OGv6haBhkA==

# Entry 8: cn=Christophe Robert,ou=people,dc=exemple,dc=org
dn: cn=Christophe Robert,ou=people,dc=exemple,dc=org
cn: Christophe Robert
displayname: Christophe Robert
givenname: Christophe
mail: [email protected]
objectclass: inetOrgPerson
objectclass: top
objectclass: person
sn: Robert
uid: cRobert
userpassword: {MD5}R3+Ui19AtM/5OGv6haBhkA==

# Entry 3: ou=groups,dc=exemple,dc=org
dn: ou=groups,dc=exemple,dc=org
objectclass: organizationalUnit
objectclass: top
ou: groups

# Entry 4: cn=Application Admins,ou=groups,dc=exemple,dc=org
dn: cn=Application Admins,ou=groups,dc=exemple,dc=org
cn: Application Admins
objectclass: groupOfNames
objectclass: top
member: cn=Brice Broussolle,ou=people,dc=exemple,dc=org

# Entry 5: cn=Application Users,ou=groups,dc=exemple,dc=org
dn: cn=Application Users,ou=groups,dc=exemple,dc=org
cn: Application Users
objectclass: groupOfNames
objectclass: top
member: cn=Brice Broussolle,ou=people,dc=exemple,dc=org
member: cn=Christophe Campan,ou=people,dc=exemple,dc=org

After that, when I search for users, the "MemberOf" attribute never appeared.

Anyone could me to explain where i've made a mistake or what is happening.

Thank you all.

Image does not set slapd command correctly

For whatever reason, the start command in /etc/service/slapd/run is the one that takes effect, not the ones the image build process tries to set

Can't setup TLS

** ld 0x7fca188ceae0 Connections:
* host: ldap.example.com  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Sat Mar 19 12:34:44 2016


** ld 0x7fca188ceae0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7fca188ceae0 request count 1 (abandoned 0)
** ld 0x7fca188ceae0 Response Queue:
   Empty
  ld 0x7fca188ceae0 response count 0
ldap_chkResponseList ld 0x7fca188ceae0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7fca188ceae0 NULL
ldap_int_select
read1msg: ld 0x7fca188ceae0 msgid 1 all 1
ber_get_next
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
ldap_free_request (origid 1, msgid 1)

ldap config:

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: a1412b7e-8216-1035-85f2-39058bb36102
creatorsName: cn=config
createTimestamp: 20160319120534Z
olcTLSCipherSuite: NORMAL
olcTLSProtocolMin: 3.1
olcTLSCACertificateFile: /container/service/slapd/assets/certs/ca-chain.pem
olcTLSCertificateFile:: L2NvbnRhaW5lci9zZXJ2aWNlL3NsYXBkL2Fzc2V0cy9jZXJ0cy9y
 ZWNvbWJlZV9uZXRfYnVuZGxlLmNydCA=
olcTLSCertificateKeyFile: /container/service/slapd/assets/certs/cert.key
olcTLSDHParamFile: /container/service/slapd/assets/certs/dhparam.pem
olcTLSVerifyClient: never
entryCSN: 20160319120537.432234Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20160319120537Z

When I compare this to a working instance I found a bit strange, that olcTLSCertificateFile is replaced by : L2NvbnRhaW5lci9zZXJ2aWNlL3NsYXBkL2Fzc2V0cy9jZXJ0cy9y ZWNvbWJlZV9uZXRfYnVuZGxlLmNydCA= is this valid syntax?

no permission error in container logs

Hi,
I try to run the container using

 docker run -d osixia/openldap

But got below error instead (from docker logs)

[root@docker01 ~]# docker logs naughty_nobel
Execute /container/tool/my_init --skip-runit bash /etc/service/slapd/run
*** Running /etc/my_init.d/slapd...
database and config directory are empty
-> set bootstrap config
invoke-rc.d: policy-rc.d denied execution of stop.
slappasswd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
  Creating initial configuration... Loading the initial configuration from the ldif file () failed with
the following error while running slapadd:
    slapadd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
*** /etc/my_init.d/slapd failed with status 1

*** Killing all processes...

Mounting volumes via docker-compose

Dear all,

I'm currently on version 1.1.2 of this awesome docker image.

Here is my problem: With docker (tested versions 1.10.0 and 1.11.0) and docker-compose (tested versions 0.6.2 and 0.7.0) I try to mount the volumes like this:

volumes:
    - /root/docker_data/openldap/ldap /var/lib/ldap
    - /root/docker_data/openldap/slapd.d /etc/ldap/slapd.d

However the directories are not created when I bring up your openldap image via docker-compose.

When I start the image via docker run like i.e.

docker run --volume /root/docker_data/openldap/ldap:/var/lib/ldap \
--volume /root/docker_data/openldap/slapd.d:/etc/ldap/slapd.d
--detach osixia/openldap:1.1.2

The volumes are created just fine in /root/docker_data/openldap/.
Any ideas what might be wrong? I did several mountings now already via docker-compose with other images, however it always worked just as expected. Not sure why with this image it would not work.

thanks!

Permission error (docker-compose)

If I try to mount volume i will have error.

docker-compose.yml

ldap:
  image: osixia/openldap:1.0.8
  volumes:
    - ./.ldap/var/lib/ldap:/var/lib/ldap
    - ./.ldap/etc/ldap/slapd.d:/etc/ldap/slapd.d
  ports:
    - "389:389"

Error:

Execute /container/tool/my_init --skip-runit bash /etc/service/slapd/run
| *** Running /etc/my_init.d/slapd...
| Starting openldap...
| *** /etc/my_init.d/slapd failed with status 1
|
| *** Killing all processes...
ldap exited with code 1

Env:

OS X El Capitan 10.11
docker-machine version 0.5.2 ( 0456b9f )
docker-compose version 1.5.2, build 7240ff3
Docker version 1.9.1, build a34a1d5
VirtualBox 5.0.0.10

more info

a) There are lots of info about this issue google->"docker data volume permissions"
b) For MySql I fixed it by running mysqld from root user (in my.cnf)
FROM mysql:latest
RUN sed -i 's/user.=./user=root/' /etc/mysql/my.cnf
c) For php-fpm by added "RUN usermod -u 1000 www-data".

Cannot rerun with customized certificate at 1.1.1

Hi,

After moving to 1.1.1, I cannot rerun a container with my own certificate as I did on 1.1.0. I've also tried this on a newly created container (empty, with default settings) and it failed. There's no problem rerunning one with the default certificate though.

how to create Initilizations scripts

I want to run a bash script for create new entries on docker-compose build, is it possible to do ?

LDAP_TLS=false but replication still requires TLS?

After v1.0.9, replication is failing.

I've start a new container and a new database, and passed LDAP_TLS=false on the docker run line.

ldap1 log:

56b73cf9 slap_client_connect: URI=ldap://ldap2 Error, ldap_start_tls failed (2)
56b73cf9 slap_client_connect: URI=ldap://ldap2 Error, ldap_start_tls failed (2)
56b73cf9 do_syncrepl: rid=002 rc 2 retrying
56b73cf9 do_syncrepl: rid=102 rc 2 retrying

ldap2 log:

56b73cf9 conn=1054 fd=21 ACCEPT from IP=10.2.92.201:58790 (IP=172.17.0.30:389)
56b73cf9 conn=1054 op=0 EXT oid=1.3.6.1.4.1.1466.20037
56b73cf9 conn=1054 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
56b73cf9 conn=1054 op=0 RESULT tag=120 err=2 text=unsupported extended operation
56b73cf9 conn=1053 fd=22 ACCEPT from IP=10.2.92.201:58792 (IP=172.17.0.30:389)
56b73cf9 conn=1053 op=0 EXT oid=1.3.6.1.4.1.1466.20037
56b73cf9 conn=1053 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
56b73cf9 conn=1053 op=0 RESULT tag=120 err=2 text=unsupported extended operation
56b73cf9 conn=1054 op=1 UNBIND
56b73cf9 conn=1054 fd=21 closed
56b73cf9 conn=1053 op=1 UNBIND
56b73cf9 conn=1053 fd=22 closed

/container/service/slapd/assets/config/replication/replication-enable.ldif:

# Add sync replication on config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1 binddn="cn=admin,cn=config" bindmethod=simple credentials=XXXXXXXXXX searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
olcSyncRepl: rid=002 provider=ldap://ldap2 binddn="cn=admin,cn=config" bindmethod=simple credentials=XXXXXXXXXX searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical

How to allow users in an OU bind access?

If readonly user is enabled, readonly has bind access with the following ACL applied during bootstrap:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by * none

But how do I allow users within an OU bind access also? Right now when binding with a user inside an OU it returns error 32 and cannot find any objects.

 ldapsearch -H ldap://ldapserver -D "uid=testuser,ou=myou,dc=mydom,dc=tld" -W -b "dc=mydom,dc=tld"

# search result
search: 2
result: 32 No such object

Will something like this work?

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by anonymous auth by * none
olcAccess: to * by self write by dn="cn=admin,{{ LDAP_BASE_DN }}" write by dn="cn={{ LDAP_READONLY_USER_USERNAME }},{{ LDAP_BASE_DN }}" read by dn=“ou=myou,{{ LDAP_BASE_DN }}” read by * none

Switch for enforcing TLS

In my use-case I want to force any connection to the ldap-container to use encryption. It's possible, see this hint: http://www.openldap.org/lists/openldap-technical/201212/msg00189.html

You think it's easy to add this as a new switch to this image?

TLS setup: do not chown if certificates have been not generated

Could you think about not chown-ing / fix permissions of certificates, if you did not generate them?
This could help using services like letsencrypt and others, when the certificates are shared to the host filesystem

specify base_dn without domain

I want to specify LDAP_BASE_DN without LDAP_DOMAIN.

Now, this startup script set LDAP_BASE_DN using get_ldap_base_dn(ref: https://github.com/osixia/docker-openldap/blob/stable/image/service/slapd/startup.sh#L164).

This function convert LDAP_DOMAIN to LDAP_BASE_DN. This is useful, but, I want to specify LDAP_BASE_DN and LDAP_DOMAIN separately.

I think LDAP_BASE_DN should be added in public environment values, and if the env has no value, be set converted LDAP_DOMAIN.

What about it?

ldap networking?

Hello, I am currently trying to use openldap with kaiwa-server (https://github.com/digicoop/kaiwa-server)
It uses prosody xmpp server and trying to use ldap to improve scalability (if I got it right). My problem is when I try to add user from the server using command prosodyctl it shows an error

lua5.1: /usr/lib/prosody/modules/ldap.lib.lua:217: attempt to index local 'ld' (a nil value)
stack traceback:
    /usr/lib/prosody/modules/ldap.lib.lua:217: in function </usr/lib/prosody/modules/ldap.lib.lua:211>
    (tail call): ?
    (tail call): ?
    (tail call): ?
    /usr/bin/prosodyctl:305: in function '?'
    /usr/bin/prosodyctl:1247: in main chunk
    [C]: ?

after I inspect the file /usr/lib/prosody/modules/ldap.lib.lua
ld is a connection to ldap server but it doesn't get any connection. I don't know which part is wrong whether it's my docker or the ldap server.

And another thing when I tried to figure out ldap server ip address using ifconfig inside the docker container it return unknown command :( and also no editor i could use inside it. Is this bug or meant to be like this?

Thank you and sorry for the long post :)

PS:
I create the docker container using this command:

docker run -d \
     --name ldap \
     -p 389:389 -p 636:636\
     -v /home/fendy/kaiwa-server-master:/home \
     -e LDAP_DOMAIN=localhost \
     -e LDAP_ORGANISATION=MyOrganisation \
     -e LDAP_ROOTPASS=mypassword \
     osixia/openldap

Performance optimisation

Should SSL certs be copied on load?

It's somewhat bad behavior for the container to be chown'ing certificates which are bind mounted into it and doesn't work if read-only binds are used and is worse if the certificates are symlinks (i.e. from Let's Encrypt containers).

It would be better behavior for the container to copy the certificates on boot up and then chown them.

Dockerfile ?

Hi,

I would like to use your image but I like to inspect what I'm about to use in production.

Where to find it ?

Regards,

Cyril

repetition of script

greetings,

first thanks for the work, I wanted to indicate that constant repetition slapd.sh is a problem, fills the log service starts and consumes machine.

solve the problem by placing "exec / usr / sbin / slapd -h" ldap: /// "-u openldap openldap -g -d -1" is that this in debug but not cosome more resources than necessary.

thanks and regards

Configure master/slave specifying what parameters?

Below are the main configuration parameters, and how to specify the parameters of the master-slave start? Thank you, please help me

Does not work with docker-compose

This image does not work with the docker-compose tool. This is easily validated.

Install docker-compose:

curl -L https://github.com/docker/compose/releases/download/1.3.3/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

Create a docker-compose.yml file:

ldap:
  image: osixia/openldap

Start the container with docker-compose run ldap and the logs will show that "slapd starting" was reached, but queries cannot be run against the service.

Starting the container with docker with docker run osixia/openldap works as expected.

On further investigating, this is because the FIRST_START_DONE file is never created. docker-compose seems to die at your sleep 3. I am not sure why this is the case. However, removing that line and rebuilding the container allows me to use the container as expected with docker-compose.

A pull request was not submitted since I am not sure why the sleep was originally added (ead3be2 offers no explanation).

Restarting container with new environment

I have problem with restarting container with new environment variables. As I understand during first run, some initialization is done which is not repeated in next runs. This makes me wonder how to normally restart container with new variables like log level? Right now I have to remove container and create it again due to the fact that slapd.d config files are persisted in volume which is reused during restarts.

Beacuse config files are persisted, when I change ie log level it results in error:

openldap_1 | Start OpenLDAP...
openldap_1 | Waiting for OpenLDAP to start...
openldap_1 | 570e7088 @(#) $OpenLDAP: slapd (Jan 16 2016 23:00:08) $
openldap_1 | root@chimera:/tmp/buildd/openldap-2.4.40+dfsg/debian/build/servers/slapd
openldap_1 | 570e7088 ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config.ldif"
openldap_1 | 570e7088 <= str2entry NULL (smr_normalize createTimestamp 21)
openldap_1 | 570e7088 slapd stopped.
openldap_1 | 570e7088 connections_destroy: nothing to destroy.

I'm running 1.1.2 version and to be clear I've never modified config files manually but added my custom ldifs to /container/service/slapd/assets/config/bootstrap/ldif

Btw, big thanks for great image!

group search filters not working

I have created user entries, created entries with object class - groupOfNames, groupOfUniqueNames and added users under it.

But ldapsearch filters are not working which makes group entries futile.
For example i have,
uid=testuser,ou=allusers,dc=example,dc=com
ou=admin,ou=allusers,dc=example,dc=com - groupOfUniqueNames entry
uniqueMember - uid=testuser,ou=allusers,dc=example,dc=com

ldapsearch -D "cn=admin,dc=example,dc=com" -b "ou=admin,ou=allusers,dc=example,dc=com" uniqueMember=test

default server not listening on port 636

Not sure if this is a bug or if I'm just misunderstanding you, or misunderstanding openldap - sorry if this is noise...

I start this container like this:

$ sudo docker run -d osixia/openldap
73f55020614de923bce196d5dc02259fabd4f8c88b978db939c129cdb2b9970a

and I see this:

$ sudo docker ps
CONTAINER ID IMAGE                  COMMAND         CREATED      STATUS        PORTS                   NAMES
73f55020614d osixia/openldap:0.10.1 "/sbin/my_init" 3 seconds ago Up 2 seconds 389/tcp      prickly_albattani

Shouldn't it be listening on 636?