okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
34102a03ed
ldapdock/INSTALL.md
Marisa 34102a03ed Update INSTALL.md
2025-11-04 08:24:02 -05:00

7.2 KiB
Raw Blame History

ldapdock

a configurable container running openLDAP

Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container

1- Creating the ldapdock image container

build ldapdock from the dockerfile and run into it

> docker build -t ldapdock /path/to/dockerfile

> docker run -h example.com -i -p 389:389 -t ldapdock

2- Run the openLDAP server and populate a directory

Use the following command to start openLDAP

root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

Create some groups and users to populate a directory

root@example:/# cat > add_content.ldif << EOF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa

dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF

When creating the groups and users, we will be asked the openLDAP root password (default: admin)

root@example:/# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Notice the userPassword is invalid, let's set a proper one

root@example:/# ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=marisa,ou=people,dc=example,dc=com

When setting up the password, we will be asked:
1-the password for the user marisa (qwerty), 2-reenter the password for marisa, 3-the openLDAP root password (admin)

3- Add schemas

Let's add one of the pre-installed policy schemas in /etc/ldap/schema/. The pre-installed schemas exists in both converted .ldif files, and native .schema formats, for now we dont have to convert them and can use ldapadd directly

root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"

4- Configure default password policies

Create a basic overlay of your password policies:

root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdMinLength: 8
pwdCheckQuality: 2
EOF

root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=com"

You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default using this default ppolicy overlay. Refer to https://git.ozymandias.work/okasion/ldapdock/src/branch/main/README.md#ins_password-policy-default-modules-options_ins for a list of all password policies available by default.

Enforcing password policies example

In order to enforce our password configuration we need something to control. This is a short example. Create an organizationalUnit:

root@example:/# cat > create_ou.ldif << EOF
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls
EOF

root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_ou.ldif
adding new entry "ou=Supergirls,dc=example,dc=com"

Create a password hash for the new user marisa

root@example:/# slappasswd -s qwerty
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V

Create the new user marisa that will belong to organizationalUnit Supergirls (pay attention to copy the hashed password before EOF)

root@example:/# cat > create_user.ldif << EOF
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
mail: marisa@example.com
EOF

root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_user.ldif
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"

User marisa and all that are added to Supergirls will respect the password default policies, you can check it out, example:

root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

Password "marisakirisame" is accepted because we established before pwdMinLength was 8.

root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame

"kirisame" is rejected because it's only 8 length characters.