5.3 KiB
ldapdock
a configurable container running openLDAP
Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container
1- Creating the ldapdock image container
build ldapdock from the dockerfile and run into it
> docker build -t ldapdock /path/to/dockerfile
> docker run -h example.com -i -t -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d ldapdock /bin/bash
2- Run the openLDAP server and create an admin user
Use the following command to start openLDAP
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
Generate a password hash for our administrator user, Op3nLd4p! here being the password to comply with password policies
root@example:/# slappasswd -s Op3nLd4p!
{SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+
Create the .ldif file that will create the admin user, edit the userPassword attribute with our password hash
(you can copy & paste the entire command until userPassword, copy your password hash with the mouse, and paste it directly)
root@example:/# cat > create_admin.ldif << EOF
dn: cn=admin,dc=example,dc=com
changetype: add
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+ # Replace with the hash of your password
EOF
root@example:/# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -f create_admin.ldif
adding new entry "cn=admin,dc=example,dc=com"
That's all, our administrator user was properly done.
3- Load and enable policy modules
We need to make use of new schemas and policies, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:
root@example:/# cat > modify_ppolicy_module.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOF
root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
modifying entry "cn=module{0},cn=config"
Reset slapd (openLDAP server)
root@example:/# kill $(pidof slapd)
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file:
root@example:/# cat > enable_ppolicy.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
EOF
root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config"
The policies module has been loaded and we can begin to configure password schemas and ACLs.
4- Configure default password policies
Create a basic overlay of your password policies:
root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdMinLength: 8
pwdCheckQuality: 2
EOF
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=com"
You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default unless configured otherwise.
In order to enforce our password configuration we need something to control.
Copy the command, and copy-paste the content, press enter to exec, go back to shell with CTRL+C.
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:///
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls
adding new entry "ou=Supergirls,dc=example,dc=com"
^C
Create a password hash for the user marisa
root@example:/# slappasswd -s qwerty
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
Copy-paste all this attributes after the command, remember to write down the hashed password correctly. Once the entry has been added, go back to shell with CTRL+C.
root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:///
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
mail: marisa@example.com
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"
^C
marisa and all users added to Supergirls will respect the password default policies, you can check it out, example:
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
Result: Constraint violation (19)
Additional info: Password fails quality checking policy
Password rejected because we established before pwdMinLength was 8.
root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame
"kirisame" is accepted because it's within 8 length characters.