theanurin/openldap

By theanurin

Updated almost 2 years ago

OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol.

Image
Networking
Databases & storage
1

10K+

theanurin/openldap repository overview

Docker Image Version Docker Image Size Docker Pulls Docker Stars

OpenLDAP (+ Let's Encrypt)

OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol.

Image reason

  • Secured endpoint with Let's Encrypt SSL certificate generation (at startup)
  • Easy to update production environment (just re-create container)
  • Easy to bring-up mirror

Spec

Environment variables
  • SLAPD_DEBUG_LEVEL - slapd debug level (-1 enable all debugging). See Debugging Levels table.
  • SSL_CERT_EXPIRE_TIMEOUT - Timeout in seconds to check certificate expiration. Default: 86400
  • CONFIG_LEGO_DOMAIN - Enable Lego and define domain of your OpenLDAP server
    • CONFIG_LEGO_DOMAIN_2, CONFIG_LEGO_DOMAIN_3, CONFIG_LEGO_DOMAIN_4, CONFIG_LEGO_DOMAIN_5 - Additional domains.
    • CONFIG_LEGO_EMAIL - An email for LEGO account
    • CONFIG_LEGO_CHALLENGE_HTTP_01 - Set to true to enable HTTP-01 challenge solver. Make sure that your container will be available from Internet on port 80 and binds to domain defined in CONFIG_LEGO_DOMAIN
    • CONFIG_LEGO_CHALLENGE_TLS_ALPN_01 - Set to true to enable TLS-ALPN-01 challenge solver. Make sure that your container will be available from Internet on port 443 and binds to domain defined in CONFIG_LEGO_DOMAIN
    • CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER - Set to one of following values to enable DNS-01 challenge solver.
DNS-01 challenge solvers: exec
CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER="exec"
CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS="ns313.inhostedns.org,ns213.inhostedns.net,ns113.inhostedns.com"
EXEC_PATH="/opt/dns-01-solvers/tools.adm.py"
EXEC_POLLING_INTERVAL=30
EXEC_PROPAGATION_TIMEOUT=600
ADM_TOOLS_API_LOGIN="[email protected]"
ADM_TOOLS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ADM_TOOLS_ROOT_DOMAINS="example.org"
DNS-01 challenge solvers: cloudflare
CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER="cloudflare"
CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS="arely.ns.cloudflare.com,cameron.ns.cloudflare.com"
CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
CLOUDFLARE_ZONE_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Expose ports
  • tcp/80 - insecure HTTP endpoint for ACME challenge (use http://)
  • tcp/389 - insecure LDAP endpoint (use ldap://)
  • tcp/443 - secured HTTP endpoint for ACME challenge (use https://)
  • tcp/636 - secured LDAP endpoint (use ldaps://)
Volumes
  • /data/etc - Configuration stuff
  • /data/etc/slapd-init.d - Place here LDIF files that will deployed (one time) into new instance via slapadd. Probably good place to configure OpenLDAP modules, schemas, etc. But you unable to setup database here (due to slapadd is not intended for incremental use, see thread...)
  • /data/db - LDAP databases
Defaults
  • RootDN: cn=config
  • RootPW: openldap

Inside

  • slapd - stand-alone LDAP daemon (server)
  • libraries - implementing the LDAP protocol
  • utilities, tools, and sample clients
  • LEGO - Let’s Encrypt client and ACME library written in Go.
  • custom dns-01-solvers scripts to solve DNS-01 challenge:
    1. tools.adm.py for Hosting Ukraine

Launch

Without SSL (probably for local usage)
docker run --rm --interactive --tty \
  --publish 389:389 \
  --ulimit nofile=1024:1024 \
  --env SLAPD_DEBUG_LEVEL=-1 \
  theanurin/openldap

See Quick Start guide for details.

With ACME challenge HTTP_01

NOTE: The container's port 80 should be public available on your domain defined in CONFIG_LEGO_DOMAIN variable.

export CONFIG_LEGO_OPTS="--server=https://acme-staging-v02.api.letsencrypt.org/directory" # Skip this for ACME production environment
export CONFIG_LEGO_DOMAIN="ldap.example.org"
export CONFIG_LEGO_EMAIL="[email protected]"
export CONFIG_LEGO_CHALLENGE_HTTP_01="true"

mkdir ldap-etc.local ldap-db.local

docker run --rm --interactive --tty \
  --env CONFIG_LEGO_OPTS --env CONFIG_LEGO_DOMAIN --env CONFIG_LEGO_EMAIL \
  --env CONFIG_LEGO_CHALLENGE_HTTP_01 \
  --ulimit nofile=1024:1024 \
  --mount "type=bind,source=$PWD/ldap-etc.local,target=/data/etc" \
  --mount "type=bind,source=$PWD/ldap-db.local,target=/data/db" \
  --publish 0.0.0.0:80:80 \
  --publish 127.0.0.1:389:389 \
  --publish 0.0.0.0:636:636 \
  theanurin/openldap
With ACME challenge TLS_ALPN_01

NOTE: The container's port 443 should be public available on your domain defined in CONFIG_LEGO_DOMAIN variable.

export CONFIG_LEGO_OPTS="--server=https://acme-staging-v02.api.letsencrypt.org/directory" # Skip this for ACME production environment
export CONFIG_LEGO_DOMAIN="ldap.example.org"
export CONFIG_LEGO_EMAIL="[email protected]"
export CONFIG_LEGO_CHALLENGE_TLS_ALPN_01="true"

mkdir ldap-etc.local ldap-db.local

docker run --rm --interactive --tty \
  --env CONFIG_LEGO_OPTS --env CONFIG_LEGO_DOMAIN --env CONFIG_LEGO_EMAIL \
  --env CONFIG_LEGO_CHALLENGE_TLS_ALPN_01 \
  --ulimit nofile=1024:1024 \
  --mount "type=bind,source=$PWD/ldap-etc.local,target=/data/etc" \
  --mount "type=bind,source=$PWD/ldap-db.local,target=/data/db" \
  --publish 127.0.0.1:389:389 \
  --publish 0.0.0.0:443:443 \
  --publish 0.0.0.0:636:636 \
  theanurin/openldap
With ACME challenge DNS_01

NOTE: DNS_01 is perfect when you are not able to expose ACME web server ports. But you have to write own solver script if you use no-name DNS provider. See LEGO's ready to use DNS Providers.

Cloudflare
export CONFIG_LEGO_OPTS="--server=https://acme-staging-v02.api.letsencrypt.org/directory" # Skip this for ACME production environment
export CONFIG_LEGO_DOMAIN="ldap.example.org"
export CONFIG_LEGO_EMAIL="[email protected]"
export CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER="cloudflare"
export CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS="arely.ns.cloudflare.com,cameron.ns.cloudflare.com"

export CLOUDFLARE_DNS_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export CLOUDFLARE_ZONE_API_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

mkdir openldap-etc.local openldap-db.local

docker run --rm --interactive --tty \
  --env CONFIG_LEGO_OPTS --env CONFIG_LEGO_DOMAIN --env CONFIG_LEGO_EMAIL \
  --env CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER --env CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS \
  --env CLOUDFLARE_EMAIL --env CLOUDFLARE_DNS_API_TOKEN --env CLOUDFLARE_ZONE_API_TOKEN \
  --ulimit nofile=1024:1024 \
  --mount "type=bind,source=$PWD/openldap-etc.local,target=/data/etc" \
  --mount "type=bind,source=$PWD/openldap-db.local,target=/data/db" \
  --publish 127.0.0.1:389:389 \
  --publish 0.0.0.0:636:636 \
  theanurin/openldap
Custom solver tools.adm.py
export CONFIG_LEGO_OPTS="--server=https://acme-staging-v02.api.letsencrypt.org/directory" # Skip this for ACME production environment
export CONFIG_LEGO_DOMAIN="ldap.example.org"
export CONFIG_LEGO_EMAIL="[email protected]"
export CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER="exec"
export CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS="ns313.inhostedns.org,ns213.inhostedns.net,ns113.inhostedns.com"
export EXEC_POLLING_INTERVAL=30
export EXEC_PROPAGATION_TIMEOUT=600
export EXEC_PATH="/opt/dns-01-solvers/tools.adm.py"
export ADM_TOOLS_ROOT_DOMAINS="example.org"
export ADM_TOOLS_API_TOKEN_FILE=/run/secrets/admtools_token

mkdir ldap-etc.local ldap-db.local

docker run --rm --interactive --tty \
  --env CONFIG_LEGO_OPTS --env CONFIG_LEGO_DOMAIN --env CONFIG_LEGO_EMAIL \
  --env CONFIG_LEGO_CHALLENGE_DNS_01_PROVIDER --env CONFIG_LEGO_CHALLENGE_DNS_01_RESOLVERS \
  --env EXEC_PATH --env EXEC_POLLING_INTERVAL --env EXEC_PROPAGATION_TIMEOUT \
  --env ADM_TOOLS_ROOT_DOMAINS --env ADM_TOOLS_API_TOKEN_FILE \
  --ulimit nofile=1024:1024 \
  --mount "type=bind,source=$PWD/ldap-etc.local,target=/data/etc" \
  --mount "type=bind,source=$PWD/ldap-db.local,target=/data/db" \
  --mount "type=bind,source=/path/to/admtools_token,target=/run/secrets/admtools_token" \
  --publish 127.0.0.1:389:389 \
  --publish 0.0.0.0:636:636 \
  theanurin/openldap

Support

Tag summary

Content type

Image

Digest

sha256:17b0634a7

Size

49.9 MB

Last updated

almost 2 years ago

docker pull theanurin/openldap