instantlinux/openldap

By instantlinux

Updated 10 days ago

This is OpenLDAP in a tiny alpine container.

Image
Security
3

3.8K

instantlinux/openldap repository overview

openldap

This is OpenLDAP in a tiny alpine container, with simple setup. All features and capabilities are supported.

Why this new image (in 2022), when there are others? The dinkel and osixia images fell out of maintenance, so the only current maintained alternative is the larger / more complex / single-platform bitnami.

Usage

Set environment variables as shown below, and mount a blank storage volume as /var/lib/openldap/openldap-data. Optionally, put your users and groups into ldif format (see example) and mount them as /etc/openldap/prepopulate, and/or add TLS certifates under /etc/ssl/openldap.

Example kubernetes and docker-compose resource definition files are provided here along with a helm chart. This repo has complete instructions for building a kubernetes cluster where you can launch with helm using make and customizing Makefile.vars after cloning this repo:

git clone https://github.com/instantlinux/docker-tools.git
cd docker-tools/k8s
make openldap
Variables
VariableDefaultDescription
SLAPD_DN_ATTRuidAttribute of user dn (usually cn or uid)
SLAPD_FQDNexample.com
SLAPD_LOG_LEVELConfig,StatsSee loglevel keywords
SLAPD_ORGANIZATIONExample
SLAPD_OUou=users,Org-unit component of DN
SLAPD_PWD_ATTRIBUTEuserPasswordAttribute of hashed password
SLAPD_PWD_CHECK_QUALITY2Password-modify enforcement option 0-2
SLAPD_PWD_FAILURE_COUNT_INTERVAL1200Reset failures [20 min]
SLAPD_PWD_LOCKOUT_DURATION1200Clear lockout [20 min]
SLAPD_PWD_MAX_FAILURE5Maximum attempts before lockout
SLAPD_PWD_MIN_LENGTH8Password-modify minimum length
SLAPD_ROOTDNcn=admin,dc=(suffix)Admin user's DN
SLAPD_ROOTPWPlain-text admin password
SLAPD_ROOTPW_HASHHashed admin password
SLAPD_ROOTPW_SECRETNAMEopenldap-ro-passwordName of secret to hold pw
SLAPD_SUFFIX(based on SLAPD_FQDN)Suffix of DN
SLAPD_ULIMIT2048maximum file size
SLAPD_USERPW_SECRETNAMEopenldap-user-passwordsName of secret to hold pws

If overriding default root DN, it should be specified in the form cn=admin,dc=example,dc=com.

The root password must be specified in one of three ways:

  • SLAPD_ROOTPW - plain text value, only for testing
  • SLAPD_ROOTPW_HASH - encrypted value starting with {PBKDF2-SHA512}
  • openldap-ro-password secret - most secure place to store the hash

You will want to override values for SLAPD_FQDN and SLAPD_ORGANIZATION. All the other default values will work for many typical use-cases.

User passwords are normally initialized by the administrator using ldappasswd, and from then on updated by the user (through the same tool or protocol). With this image, you can also define user passwords by providing their (hashed) values via a secret. Don't use ldappasswd to update passwords that are provided with the latter method: use it to generate a new hashed value and update the secret.

Volumes

Mount these path names to persistent storage; all are optional.

PathDescription
/etc/openldap/prepopulateZero or more .ldif files to load upon startup
/var/lib/openldap/openldap-dataPersistent storage for ldap database
/etc/ssl/openldapTLS/SSL certificate
Secrets
SecretDescription
openldap-rootpwHashed password (key name openldap-rootpw-hash)
openldap-sslCertificate (cacert.pem, tls.crt, tls.key)
openldap-user-passwordsHashed passwords (in user: {PBK...} hash form)
Contributing

If you want to make improvements to this image, see CONTRIBUTING.

Tag summary

Content type

Image

Digest

sha256:ff5304ac3

Size

9.2 MB

Last updated

10 days ago

docker pull instantlinux/openldap