okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
1c730ecda7
ldapdock/INSTALL.md
Marisa 1c730ecda7 Update INSTALL.md
2025-11-04 13:39:21 -05:00

7.8 KiB
Raw Blame History

ldapdock

a configurable container running openLDAP

Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container

1- Creating the ldapdock image container

build ldapdock from the dockerfile and run into it

> docker build -t ldapdock /path/to/dockerfile

> docker run -i -t -p 389:389 -h example.com -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d ldapdock

2- Run the openLDAP server and populate a directory

Use the following command to start openLDAP

root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

Create some groups and users to populate a directory

root@example:/# cat > add_content.ldif << EOF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa

dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF

When creating the groups and users, we will be asked the openLDAP root password (default: admin)

root@example:/# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Notice the userPassword is invalid, let's set a proper one

root@example:/# ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=marisa,ou=people,dc=example,dc=com

When setting up the password, we will be asked:
1-the password for the user marisa (qwerty), 2-reenter the password for marisa, 3-the openLDAP root password (admin)

3- Add schemas

Let's add one of the policy schemas that comes with openLDAP, these files can be found in /etc/ldap/schema/. The pre-installed schemas exists in both converted .ldif files that can be loaded directly, as well native .schema formats which can be converted to .ldif files with the package schema2ldif (not loaded by default in this container) if neccesary.

root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"

We need to make sure we have at least the following schemas loaded:

root@example:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}corba,cn=schema,cn=config

4- Configure default password policies

Create a basic overlay of your password policies:

root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdMinLength: 8
pwdCheckQuality: 2
EOF

root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=com"

You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default using this default ppolicy overlay. Refer to https://git.ozymandias.work/okasion/ldapdock/src/branch/main/README.md#ins_password-policy-default-modules-options_ins for a list of all password policies available by default.

Enforcing password policies example

In order to enforce our password configuration we need something to control. This is a short example. Create an organizationalUnit:

root@example:/# cat > create_ou.ldif << EOF
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls
EOF

root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_ou.ldif
adding new entry "ou=Supergirls,dc=example,dc=com"

Create a password hash for the new user marisa

root@example:/# slappasswd -s qwerty
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V

Create the new user marisa that will belong to organizationalUnit Supergirls (pay attention to copy the hashed password before EOF)

root@example:/# cat > create_user.ldif << EOF
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
mail: marisa@example.com
EOF

root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_user.ldif
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"

User marisa and all that are added to Supergirls will respect the password default policies, you can check it out, example:

root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

Password "marisakirisame" is accepted because we established before pwdMinLength was 8.

root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame

"kirisame" is rejected because it's only 8 length characters.