openldap
This is OpenLDAP in a tiny alpine container.
3.8K
This is OpenLDAP in a tiny alpine container, with simple setup. All features and capabilities are supported.
Why this new image (in 2022), when there are others? The dinkel and osixia images fell out of maintenance, so the only current maintained alternative is the larger / more complex / single-platform bitnami.
Set environment variables as shown below, and mount a blank storage volume as /var/lib/openldap/openldap-data. Optionally, put your users and groups into ldif format (see example) and mount them as /etc/openldap/prepopulate, and/or add TLS certifates under /etc/ssl/openldap.
Example kubernetes and docker-compose resource definition files are provided here along with a helm chart. This repo has complete instructions for building a kubernetes cluster where you can launch with helm using make and customizing Makefile.vars after cloning this repo:
git clone https://github.com/instantlinux/docker-tools.git
cd docker-tools/k8s
make openldap
| Variable | Default | Description |
|---|---|---|
| SLAPD_DN_ATTR | uid | Attribute of user dn (usually cn or uid) |
| SLAPD_FQDN | example.com | |
| SLAPD_LOG_LEVEL | Config,Stats | See loglevel keywords |
| SLAPD_ORGANIZATION | Example | |
| SLAPD_OU | ou=users, | Org-unit component of DN |
| SLAPD_PWD_ATTRIBUTE | userPassword | Attribute of hashed password |
| SLAPD_PWD_CHECK_QUALITY | 2 | Password-modify enforcement option 0-2 |
| SLAPD_PWD_FAILURE_COUNT_INTERVAL | 1200 | Reset failures [20 min] |
| SLAPD_PWD_LOCKOUT_DURATION | 1200 | Clear lockout [20 min] |
| SLAPD_PWD_MAX_FAILURE | 5 | Maximum attempts before lockout |
| SLAPD_PWD_MIN_LENGTH | 8 | Password-modify minimum length |
| SLAPD_ROOTDN | cn=admin,dc=(suffix) | Admin user's DN |
| SLAPD_ROOTPW | Plain-text admin password | |
| SLAPD_ROOTPW_HASH | Hashed admin password | |
| SLAPD_ROOTPW_SECRETNAME | openldap-ro-password | Name of secret to hold pw |
| SLAPD_SUFFIX | (based on SLAPD_FQDN) | Suffix of DN |
| SLAPD_ULIMIT | 2048 | maximum file size |
| SLAPD_USERPW_SECRETNAME | openldap-user-passwords | Name of secret to hold pws |
If overriding default root DN, it should be specified in the form cn=admin,dc=example,dc=com.
The root password must be specified in one of three ways:
SLAPD_ROOTPW - plain text value, only for testingSLAPD_ROOTPW_HASH - encrypted value starting with {PBKDF2-SHA512}openldap-ro-password secret - most secure place to store the hashYou will want to override values for SLAPD_FQDN and SLAPD_ORGANIZATION. All the other default values will work for many typical use-cases.
User passwords are normally initialized by the administrator using ldappasswd, and from then on updated by the user (through the same tool or protocol). With this image, you can also define user passwords by providing their (hashed) values via a secret. Don't use ldappasswd to update passwords that are provided with the latter method: use it to generate a new hashed value and update the secret.
Mount these path names to persistent storage; all are optional.
| Path | Description |
|---|---|
| /etc/openldap/prepopulate | Zero or more .ldif files to load upon startup |
| /var/lib/openldap/openldap-data | Persistent storage for ldap database |
| /etc/ssl/openldap | TLS/SSL certificate |
| Secret | Description |
|---|---|
| openldap-rootpw | Hashed password (key name openldap-rootpw-hash) |
| openldap-ssl | Certificate (cacert.pem, tls.crt, tls.key) |
| openldap-user-passwords | Hashed passwords (in user: {PBK...} hash form) |
If you want to make improvements to this image, see CONTRIBUTING.
Content type
Image
Digest
sha256:ff5304ac3…
Size
9.2 MB
Last updated
10 days ago
docker pull instantlinux/openldap