okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
4ca76359dc
ldapdock/INSTALL.md
Marisa 4ca76359dc Update INSTALL.md
2025-11-05 06:22:54 -05:00

12 KiB
Raw Blame History

ldapdock

a configurable secure openLDAP based container

Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container

1- Creating the ldapdock image container

build ldapdock from the dockerfile and run into it, creating the proper volumes to save databases data, config data, and certs data

> docker build -t ldapdock /path/to/dockerfile

> docker run -i -t -p 389:389 -p 636:636 -h example.com -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d -v ldap_certs:/etc/ldap/certs ldapdock

2- Run the openLDAP server and populate a directory

Use the following command to start openLDAP

root@example:/# slapd -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap

Create some groups and users to populate a directory

root@example:/# cat > add_content.ldif << EOF
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=mages,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: mages
gidNumber: 5000
memberUid: marisa

dn: uid=marisa,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: marisa
sn: Kirisame
givenName: Marisa
cn: Marisa Kirisame
displayName: Marisa Kirisame
uidNumber: 10000
gidNumber: 5000
userPassword: {CRYPT}x
gecos: Marisa Kirisame
loginShell: /bin/bash
homeDirectory: /home/marisa
EOF

When creating the groups and users, we will be asked the openLDAP root password (default: admin)

root@example:/# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

Notice the userPassword is invalid, let's set a proper one

root@example:/# ldappasswd -x -D cn=admin,dc=example,dc=com -W -S uid=marisa,ou=people,dc=example,dc=com

When setting up the password, we will be asked:
1-the password for the user marisa (qwerty), 2-reenter the password for marisa, 3-the openLDAP root password (admin)

3- Add schemas

Let's add one of the policy schemas that comes with openLDAP, these files can be found in /etc/ldap/schema/. The pre-installed schemas exists in both converted .ldif files that can be loaded directly, as well native .schema formats which can be converted to .ldif files with the package schema2ldif (not loaded by default in this container) if neccesary.

root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"

The following schemas will be loaded by default:

root@example:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}corba,cn=schema,cn=config

4- Configure TLS/SSL certificates

Create cert directories and generate certificates

root@example:/# mkdir -p /etc/ldap/certs
root@example:/# cd /etc/ldap/certs

CA key

root@example:/etc/ldap/certs# certtool --generate-privkey --bits 4096 --outfile ca-key.pem

CA template

root@example:/etc/ldap/certs# cat > ca.info <<EOF
cn = Example Company CA
ca
cert_signing_key
expiration_days = 3650
EOF

CA certificate

root@example:/etc/ldap/certs# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem


Now let's generate the key, template, and certificate of the openLDAP server
Server key

root@example:/etc/ldap/certs# certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem

Server template

root@example:/etc/ldap/certs# cat > ldap01.info <<EOF
organization = Example Company
cn = example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365
EOF

Server certificate

root@example:/etc/ldap/certs# certtool --generate-certificate \
  --load-privkey ldap01_slapd_key.pem \
  --load-ca-certificate ca-cert.pem \
  --load-ca-privkey ca-key.pem \
  --template ldap01.info \
  --outfile ldap01_slapd_cert.pem


Last but not least, fix some permissions because certificates are very delicate when checking authorization

root@example:/etc/ldap/certs# chgrp openldap ldap01_slapd_key.pem
root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_key.pem


Bundle our certs (CA and server) into one and set the right perms

root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
root@example:/etc/ldap/certs# chown root:openldap ldap01_slapd_cert_full.pem
root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_cert_full.pem


Restart slapd (copy and paste as a single line)

root@example:/etc/ldap/certs# slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
sleep 3

Re-apply TLS config

root@example:/etc/ldap/certs# cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF

root@example:/etc/ldap/certs# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif

Add CA certificate to system trust directory

root@example:/etc/ldap/certs# cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
root@example:/etc/ldap/certs# update-ca-certificates


Stop temp, start final with LDAPS

root@example:/etc/ldap/certs# pkill slapd
root@example:/etc/ldap/certs# slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &

Finally set this ENV variable and make it permanent

root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
root@example:/etc/ldap/certs# source ~/.bashrc


Check STARTTLS

root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://example.com

Check SSL/ldaps

root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://example.com

Both should return Anonymous.

To connect to the server via STARTTLS, use port 389, auth method Simple

To connect to the server via SSL, use port 636, auth method Simple, copy and accept the certificate if asked, or copy the CA file out of the container ldapdock with:`

# sudo docker cp ldapdock:/etc/ldap/certs/ca-cert.pem ./mycacert.crt
# sudo cp mycacert.crt /usr/local/share/ca-certificates/
# sudo update-ca-certificates