okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
d222085be8
ldapdock/INSTALL.md
Marisa d222085be8 Update INSTALL.md
2025-10-12 13:34:19 -04:00

5.2 KiB
Raw Blame History

ldapdock

a configurable container running openLDAP

Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container

1- Creating the ldapdock image container

build ldapdock from the dockerfile and run into it

> docker build -t ldapdock /path/to/dockerfile

> docker run -h example.com -i -t -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d ldapdock /bin/bash

2- Run the openLDAP server and create an admin user

Use the following command to start openLDAP

root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

Generate a password hash for our administrator user, Op3nLd4p! here being the password to comply with password policies

root@example:/# slappasswd -s Op3nLd4p!
{SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+

Create the .ldif file that will create the admin user, edit the userPassword attribute with our password hash
(you can copy & paste the entire command until userPassword, copy your password hash with the mouse, and paste it directly)

root@example:/# cat > create_admin.ldif << EOL
dn: cn=admin,dc=example,dc=com
changetype: add
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
description: LDAP administrator
userPassword: {SSHA}vP1xt9t8+/GmOXmqlH1yNh305+MpUDe+  # Replace with the hash of your password
EOL

root@example:/# ldapadd -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -w admin -f create_admin.ldif
adding new entry "cn=admin,dc=example,dc=com"

That's all, our administrator user was properly done.

3- Load and enable policy modules

We need to make use of new schemas and policies, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it:

root@example:/# cat > modify_ppolicy_module.ldif << EOL
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.so
EOL

root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif
modifying entry "cn=module{0},cn=config"

Reset slapd (openLDAP server)

root@example:/# kill $(pidof slapd)
root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d

Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file:

root@example:/# cat > enable_ppolicy.ldif << EOL
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
EOL

root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif
adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config"

The policies module has been loaded and we can begin to configure password schemas and ACLs.

4- Configure default password policies

Create a basic overlay of your password policies, run this command, copy-paste the content then press enter to run it automatically. Go back to the shell with CTRL+C.

root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:///
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdMinLength: 8
pwdCheckQuality: 2

adding new entry "cn=default,ou=policies,dc=example,dc=com"

^C

You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc.

In order to enforce our password configuration we need something to control. Copy the command, and copy-paste the content, press enter to exec, you can escape with CTRL+C.

# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:///
dn: ou=Supergirls,dc=example,dc=com
objectClass: organizationalUnit
ou: Supergirls

adding new entry "ou=Supergirls,dc=example,dc=com"
^C

Create a password hash for the user marisa

root@example:/etc/ldap/slapd.d# slappasswd -s qwerty
{SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V

Copy-paste all this attributes after the command, remember to write down the hashed password correctly.

root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -H ldapi:///
dn: uid=marisa,ou=Supergirls,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Marisa
sn: Kirisame
givenName: Marisa
displayName: Marisa Kirisame
uid: marisa
uidNumber: 1001
gidNumber: 5000
homeDirectory: /home/marisa
loginShell: /bin/bash
userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V
mail: marisa@example.com

adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com"
^C

marisa and all users added to Supergirls will respect the password default policies, you can check it out, example:

root@example:/etc/ldap/slapd.d# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

Password rejected because we established before pwdMinLength was 8.

root@example:/etc/ldap/slapd.d# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame

"kirisame" is accepted because it's within 8 length characters.