okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
34102a03ed
ldapdock/INSTALL.md
Marisa 34102a03ed Update INSTALL.md
2025-11-04 08:24:02 -05:00

217 lines
7.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ldapdock
*_a configurable container running openLDAP_*
Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container
## _1- Creating the ldapdock image container_
build ldapdock from the dockerfile and run into it
```
> docker build -t ldapdock /path/to/dockerfile
```
```
> docker run -h example.com -i -p 389:389 -t ldapdock
```
## _2- Run the openLDAP server and populate a directory_
Use the following command to start openLDAP
```
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
```
Create some groups and users to populate a directory
```
root@example:/# cat > add_content.ldif << EOF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa
dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF
```
When creating the groups and users, we will be asked the openLDAP root password (default: admin)
```
root@example:/# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif
```
Notice the userPassword is invalid, let's set a proper one
```
root@example:/# ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=marisa,ou=people,dc=example,dc=com
```
When setting up the password, we will be asked:\
1-the password for the user marisa (qwerty), 2-reenter the password for marisa, 3-the openLDAP root password (admin)
<!--Generate a password hash for our administrator user, Op3nLd4p! here being the password to comply with password policies
```
root@example:/# slappasswd -s Op3nLd4p!
{SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+
```
Create the .ldif file that will create the admin user, edit the _userPassword_ attribute with our password hash\
(you can copy & paste the entire command until userPassword, copy your password hash with the mouse, and paste it directly)
```
root@example:/# cat > create_admin.ldif << EOF
dn: cn=admin,dc=example,dc=com
changetype: add
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+ # Replace with the hash of your password
EOF
```
```
root@example:/# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -f create_admin.ldif
adding new entry "cn=admin,dc=example,dc=com"
```
That's all, our administrator user was properly done.
-->
## _3- Add schemas_
Let's add one of the pre-installed policy schemas in /etc/ldap/schema/. The pre-installed schemas exists in both converted .ldif files, and native .schema formats, for now we dont have to convert them and can use ldapadd directly
```
root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"
```
<!--## _3- Load and enable policy modules_
We need to make use of new schemas and **policies**, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:
```
root@example:/# cat > modify_ppolicy_module.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOF
```
```
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
modifying entry "cn=module{0},cn=config"
```
Reset slapd (openLDAP server)
```
root@example:/# kill $(pidof slapd)
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
```
Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file:
```
root@example:/# cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
EOF
```
```
root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config"
```
The policies module has been loaded and we can begin to configure password schemas and ACLs.
-->
## _4- Configure default password policies_
Create a basic overlay of your password policies:
```
root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdMinLength: 8
pwdCheckQuality: 2
EOF
```
```
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=com"
```
You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default using this *default ppolicy overlay*.
Refer to https://git.ozymandias.work/okasion/ldapdock/src/branch/main/README.md#ins_password-policy-default-modules-options_ins for a list of all password policies available by default.
### _<ins>Enforcing password policies example</ins>_
In order to enforce our password configuration we need something to control. This is a short example.
Create an organizationalUnit:
```
root@example:/# cat > create_ou.ldif << EOF
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls
EOF
```
```
root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_ou.ldif
adding new entry "ou=Supergirls,dc=example,dc=com"
```
Create a password hash for the new user marisa
```
root@example:/# slappasswd -s qwerty
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
```
Create the new user marisa that will belong to organizationalUnit Supergirls (pay attention to copy the hashed password before EOF)
```
root@example:/# cat > create_user.ldif << EOF
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
mail: marisa@example.com
EOF
```
```
root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_user.ldif
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"
```
User marisa and all that are added to Supergirls will respect the password default policies, you can check it out, example:
```
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
```
Password "marisakirisame" is accepted because we established before pwdMinLength was 8.
```
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame
```
"kirisame" is rejected because it's only 8 length characters.
Reference in New Issue View Git Blame Copy Permalink