okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Marisa 2025-09-28 15:42:11 -04:00
parent 1ec576a4ee
commit ef3788fbb3
1 changed files with 34 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
README.md
View File

@ -75,7 +75,7 @@ cn: admin
userPassword: {SSHA}yxIgYTzcuRRdlesjfWkIN6K97/8jOrZF # Replace with the hash of your password
description: LDAP administrator
```
Execute create_admin.ldif using as password, the root password _admin_ which is the default one
Execute create_admin.ldif using the root password (which is the default container's: _admin_)
```
root@example:/etc/ldap# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w admin -f create_admin.ldif
adding new entry "cn=admin,dc=example,dc=com"
@ -318,9 +318,10 @@ If successful, the output will show the modified entry.
## _Password schemas_
Since no policy overlay exists (more on this later), we need to create our own.\
Since no policy overlays are loaded in slapd in the container, we need to load our own.
\
In the next command, notice we are using the -Q and -Y EXTERNAL parameters instead of our usual -x, meaning SASL EXTERNAL authentication over the ldapi:/// socket, which we usually use for binding as the root account.
In the next command, notice we are using the -Q and -Y EXTERNAL -H ldap**i**:///, meaning SASL EXTERNAL authentication over the -x -H ldap:/// socket, which we usually use for binding as the root account. Using -Q -Y EXTERNAL -H ldap**i**:/// works because it binds as the openldap user and has sufficient permissions for cn=config.
Run the following command to query our loaded modules list
```
root@example:/# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -D "cn=admin,dc=example,dc=com" -b cn=config "(objectclass=olcModuleList)"
# extended LDIF
@ -338,14 +339,15 @@ olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
```
If you read the output, we are only "loading" the default backend mdb that comes by default with LDAP to load basic schemas such as directory (OU) creation.
Run the following command:\
Reading the output in detail, means we are only loading the default backend (olcModuleLoad: {0}back_mdb) that comes by default with LDAP to load basic schemas such as directories (OU) creation.
Run the following command:
```
root@example:/# ls /usr/lib/ldap/ppolicy*
/usr/lib/ldap/ppolicy-2.5.so.0 /usr/lib/ldap/ppolicy-2.5.so.0.1.14 /usr/lib/ldap/ppolicy.la /usr/lib/ldap/ppolicy.so
```
Our LDAP server may not come loaded with the right policies, but the modules exists inside the container image.
We need to make use of schemas, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:
Our LDAP server may not come loaded with the policies we need to apply features such as passwords schemas and ACLs (Access Control Lists), but the modules exists inside the container image.
We need to make use of schemas, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:
```
root@example:/# vim modify_ppolicy_module.ldif
dn: cn=module{0},cn=config
@ -353,10 +355,32 @@ changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
```
Now we run modify_ppolicy_module.ldif
Run modify_ppolicy_module.ldif
```
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
modifying entry "cn=module{0},cn=config"
```
Now we run the exact same command as before to check if the policy overlay was loaded
```
root@example:/# ldapsearch -Q -Y EXTERNAL -H ldapi:/// -D "cn=admin,dc=example,dc=com" -b cn=config "(objectclass=olcModuleList)"
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=olcModuleList)
# requesting: ALL
#
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}ppolicy.so
```
Notice the addition of **olcModuleLoad: {1}ppolicy.so**. If we get a different result from the last command, we won't be able to enable the schemas or ACLs we need, and should check that we did input the right commands to reach this point, from the commands to run the container, if we started slapd with the right parameters, to the correct creation of the user administrator.
If we get a different result from the last command, we won't be able to implement any schemas or ACLs, and we should check the dockerfile first, and second the commands we used to run the container as well that we started slapd with the specified parameters before.
\
<!--ldappasswd -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W -S "uid=bob,ou=people,dc=example,dc=com"-->