okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
configurable container running LDAP
52 Commits 1 Branch 0 Tags 700 KiB
b9cac65769
Go to file
Marisa b9cac65769 Update README.md
2025-09-23 10:30:00 -04:00
dockerfile Update dockerfile 2025-09-16 14:56:18 -04:00
README.md Update README.md 2025-09-23 10:30:00 -04:00

README.md

ldapdock

a configurable container running openLDAP

Step by step approach on how to setup and run the openLDAP server on a classic systemd-less Docker image container

note about the dockerfile and running the generated image container on FG (foreground) or BG (background): by default the dockerfile generates an image to be run in FG, it expects to be run into it and launch slapd (openLDAP server) manually; to run the image container in BG and start slapd automatically without any user intervention, uncomment the line number 31 of the dockerfile.

Creating the ldapdock image container

build ldapdock

> docker build -t ldapdock /path/to/dockerfile

after build, check the docker image has been created properly with the given REPOSITORY name

> docker images
REPOSITORY    TAG       IMAGE ID       CREATED       SIZE
ldapdock      latest    0e4a1521b346   6 hours ago   138MB

run into the container to setup openLDAP

> docker run -h example.com -i -t ldapdock /bin/bash

Inside the ldapdock image container

make sure to use the following command to start openLDAP

root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

test connectivity to slapd

root@example:/# ldapsearch -x -H ldap://localhost -b "dc=example,dc=com" -s base "(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope baseObject
...

Users administrative tasks

Add users

create a new LDAP directory called Supergirls (LDAP OU) with the following data

root@example:/# vim add_ou.ldif
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls

create it in our LDAP server, when asked for the root password, remember in the dockerfile by default is admin

root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add_ou.ldif
Enter LDAP Password:
adding new entry "ou=Supergirls,dc=example,dc=com"

verify the entry in the LDAP server

root@example:/# ldapsearch -x -LLL -b "dc=example,dc=com" "(ou=Supergirls)" dn
dn: ou=Supergirls,dc=example,dc=com

create a new LDAP password to manage our new directory, annotate both the entered plain password and the result hashed password

root@example:/# slappasswd
New password:
Re-enter new password:
{SSHA}hashedpasswd

create a .ldif file with the necessary attributes to insert in our Supergirls directory

root@example:/# vim add_user_supergirls.ldif
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}hashedpasswd
mail: marisa@example.com

insert the new user (marisa) in our Supergirls directory (LDAP OU), still using the root password admin

root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f add_user_supergirls.ldif
Enter LDAP Password:
adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"

verify the user (marisa) has been added to the Supergirls OU

root@example:/# ldapsearch -x -LLL -b "dc=example,dc=com" "(uid=marisa)" dn
dn: uid=marisa,ou=Supergirls,dc=example,dc=com

Modify users attributes

create a new .ldif file with the attributes we want to change
in this case we want to modify the mail marisa@example.com of the user (uid) marisa from the group (ou) Supergirls

root@example:/home# vim modify_user.ldif
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
changetype: modify
replace: mail
mail: marisa.kirisame@example.com

run the modify file, when asked for the root password, remember in the dockerfile by default is admin

root@example:/home# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f modify_user.ldif
Enter LDAP Password:
modifying entry "uid=marisa,ou=Supergirls,dc=example,dc=com"

verify the mail attribute of the user marisa has been changed to marisa.kirisame@example.com

root@example:/home# ldapsearch -x -LLL -b "dc=example,dc=com" "(uid=marisa)" mail
dn: uid=marisa,ou=Engineering,dc=example,dc=com
mail: marisa.kirisame@example.com

Modify user password

In this examples, we are changing user uid marisa from ou Supergirls password.

In order to change the password interactively (writing in the prompt when asked), we can run this command:

root@example:/etc/ldap# ldappasswd -H ldap:/// -x -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -W -S "uid=marisa,ou=Supergirls,dc=example,dc=com"
New password: newpasswd
Re-enter new password: newpasswd
Enter LDAP Password: oldpasswd

newpasswd being the new password we want to use, and oldpasswd, the last password we were using for the user uid marisa.

To change the password in an non interactive (sending the password directly via the command), we can run this:

root@example:/etc/ldap# ldappasswd -H ldap:/// -x -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -w newpasswd "uid=marisa,ou=Supergirls,dc=example,dc=com"
New password: 6vUj/2lE

newpasswd being the new password we want to use. We can also notice the hashed output of our new password is not a typical LDAP SSHA hash, this is due to security implementations.

Reset user password

In the likely common event that we forgot the password of an specific user, we need to reset it.
In this example we forgot the password of the user uid marisa, we can reset it with this command:

root@example:/etc/ldap# ldappasswd -H ldap:/// -x -D "cn=admin,dc=example,dc=com" -W -S "uid=marisa,ou=Supergirls,dc=example,dc=com"
New password: newpasswd
Re-enter new password: newpasswd
Enter LDAP Password: admin

Note we need to use the root password (admin by default) in the last query ("Enter LDAP Password") to reset an user's password.

Query as an specific user

we already created the user (uid) marisa, and established the user's own password using slappasswd
now we are gonna query our LDAP server using the user (uid) marisa credentials, and the password we entered during slappasswd, called plain password (plainpasswd)

root@example:/etc/ldap# ldapsearch -D uid=marisa,ou=Supergirls,dc=example,dc=com -b "dc=example,dc=com" -w plainpasswd
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: example

# Supergirls, example.com
dn: ou=Supergirls,dc=example,dc=com
...

we can narrow this search to get only specific attributes of the user marisa, remember we are using the plainpasswd when asked

root@example:/etc/ldap# ldapsearch -D uid=marisa,ou=Supergirls,dc=example,dc=com -b "dc=example,dc=com" -w plainpasswd givenName uidNumber gidNumber homeDirectory
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: givenName uidNumber gidNumber homeDirectory
#

# example.com
dn: dc=example,dc=com

# Supergirls, example.com
dn: ou=Supergirls,dc=example,dc=com

# marisa, Supergirls, example.com
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
givenName: Marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa