Marc Wäckerlin
Für eine libertäre Schweiz

Setup OpenLDAP Server in Docker

Dezember 23, 2016

Structure of OpenLDAP Docker COntainer

Run OpenLDAP Server

I provide an OpenLDAP docker image:

To run an OpenLDAP container, including a volume for the data simply run:

docker run -d --restart unless-stopped \
              --name openldap-volume \
              mwaeckerlin/openldap sleep infinity
docker run -d --restart unless-stopped \
              --name openldap \
              --volumes-from openldap-volume \
              -e DOMAIN="marc.waeckerlin.org" \
              -e ORGANIZATION="Marc Wäckerlin's Organization" \
              -e PASSWORD="ert456" \
              mwaeckerlin/openldap

To expose OpenLDAP from external, add option -p 389:389, but it is often enough to provide access to other local docker containers through their --link option. If you don’t pass -e PASSWORD="pw", then a password is generated. Enter docker logs -f openldap to see it.

Add Administration Interface

The simpelst way to administrate an OpenLDAP database is through LDAP Authentication Manager LAM. Feel free to use my docker image:

Start a container and connect it to the OpenLDAP container above. This time, you need external access:

docker run -d --restart unless-stopped \
              --name lam-volume \
              mwaeckerlin/lam sleep infinity
docker run -d --restart unless-stopped \
              -p 8080:80 \
              --name lam \
              --volumes-from lam-volume \
              --link openldap:ldap \
              mwaeckerlin/lam

Then head your browser to http://localhost:8080, got to  LAM configuration / Edit general settings, login with default password lam and Change master password. Then go back and still with password lam go to Edit server profiles to setup your OpenLDAP database. Set a password, configure your domain. Since you link by the name ldap, serveraddress is ldap://ldap:389. Tree suffix is taken from DOMAIN, so here it us dc=marc,dc=waeckerlin,dc=org. Security settings should first be your admin, which is here cn=admin,dc=marc,dc=waeckerlin,dc=org. The password here is to login to this server profile setup. Later, when you created other users, you can change the administrators. In Account types, change all dc=my-domain,dc=com to your domain, here dc=marc,dc=waeckerlin,dc=org. Everything else can remain default. Now you can login as admin with your openldap PASSWORD on the initial login screen, create the missing suffixes and start creating groups and users.

Yes, it is that simple to run an OpenLDAP server including a nice administration frontend.

TLS with SSL Certificate

Next tasks could be to add a certificate to the OpenLDAP server and to enable TLS. This way you could even provide your services to the Internet.

Get a certificate and place it in the right path. You need the CA chain certificate and a domain certificate file and a domain key file. The name of the file must match the domain:

docker cp ca-certfile.crt openldap:/ssl/certs/marc.waeckerlin.org-ca.crt
docker cp certfile.pem openldap:/ssl/certs/marc.waeckerlin.org.pem
docker cp certfile.key openldap:/ssl/certs/marc.waeckerlin.org.key

Thats is it, docker restart openldap and you can use TLS.

comments title

lam is not working as a password.

lam is only the default password for the LAM-backend. To access OpenLDAP, you need the DN and password of the OpenLDAP administrator, e.g. username cn=admin,dc=marc,dc=waeckerlin,dc=org and the password you pass in PASSWORD.

What is the Base DN? I used cn=People,dc=mydom,dc=org but that isn’t recognized as a valid Base DN.

If you just run mwaeckerlin/openldap and set -e DOMAIN="mydom.org", then your base domain is dc=mydom,dc=org. The cn=People part and all other structures are generated when you first login in LAM (you will be asked if you want to generate them). In the configuration of LAM, you can set anything you want instead of People, e.g. user, so it’s freely configurable.

[…] for authentication: OpenLDAP […]

I am unable to set a password for a user. The button ‚Set Password‘ does not do anything. I would expect a dialog to open where I can enter the user’s password. Thanks.

AlpNek, do you mean in LAM? Yes, in the user’s settings, «set password» opens a window to set a password. That’s a feature of the LDAP Account Manager, and it works for me, so if it does not work for you, it should not be because of the docker container. In that case, please address to the LAM-developpers.

LAM Set Password

Why are the volumes handled so weirdly?

That’s the old deprecated way. It would be done with docker volume.

Hello,
I’ve created a docker-compose.yml to run your LDAP server and LAM.
***********************************************
version: ‚2‘
services:
openldap:
image: openldap:latest
container_name: openldap_arm64v8
environment:
DOMAIN: „oscardomain.com“
ORGANIZATION: „EC-org“
PASSWORD: „1234“
DEBUG_LEVEL: „1“
tty: true
stdin_open: true
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– „389:389“
– „636:636“
lam:
image: lam:latest
container_name: lam_arm64v8
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– „82:80“
depends_on:
– openldap
***********************************************
I have configured LAM as you explain, but changing the IP to the local one, not the docker dns name, because I’m using a port and not an expose. It seems to work.
When I try to create a user, it says: you must create a group.
When I go to create the group „admins_plus“, I get an error: Was unable to create DN: cn=admins_plus,ou=group,dc=oscardomain,dc=com.

When I type on terminal: docker exec -it openldap_arm64v8 slapcat -l data.ldif
I get:
5d075e41 mdb_db_open: database „dc=my-domain,dc=com“ cannot be opened: No such file or directory (2). Restore from backup!
5d075e41 backend_startup_one (type=mdb, suffix=“dc=my-domain,dc=com“): bi_db_open failed! (2)
slap_startup failed

What I’m doing wrong? Maybe when I define bind_mounts in docker-compose, your containers cannot create the database because they try to find it in the defined bind_volumes?

Thank you very much for your work, as you can see, I have built your containers to be used with ARM64v8, they work great.

Oscar

Solved! It was an error inside of LAM.

So, I have shared a working docker-compose.yml for ARM64, taking local images previously built.
It can be adapted again to Intel, just changing:
image: openldap:latest –>image: mwaeckerlin/openldap
and
image: lam:latest –>image: mwaeckerlin/lam

Thank you, Marc, for creating these nice docker containers :)

This is my third message:

Although I’m having this trouble: I cannot backup data.

root@myarmmachine:~/openldap/config/etc-ldap# docker exec -it openldap_arm64v8 sh
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif
5d076600 mdb_db_open: database „dc=my-domain,dc=com“ cannot be opened: No such file or directory (2). Restore from backup!
5d076600 backend_startup_one (type=mdb, suffix=“dc=my-domain,dc=com“): bi_db_open failed! (2)
slap_startup failed

It should try to connect to „dc=oscardomain,dc=com“, but i’ts trying to connect to my-domain.com (the default domain), although I’ve created the ENV domain: „oscardomain.com“ in docker-compose.yml

I’ve checked /etc/ldap/slapd.conf and there’s no allusion to my-domain.com

If I try,
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif -b „dc=oscardomain,dc=com“
slapcat: slap_init no backend for „dc=oscardomain,dc=com“

What am I doing wrong?

Although it’s a way to get it done, I’d like to use „slapcat“:
root@myarmmachine:~/openldap/config/var-backups# docker restart openldap_arm64v8
openldap_arm64v8
root@myarmmachine:~/openldap/config/var-backups# ls -l
total 4
-rw-r–r– 1 root root 2544 Jun 17 12:25 201906171006-startup-data.ldif
root@OdroidC2:~/openldap/config/var-backups#

Because, as you say in https://hub.docker.com/r/mwaeckerlin/openldap, Before every restart, a backup is generated in /var/backups/-startup-data.ldif.

Thank you again.

If you look into start.sh, you see, how I do the backup:

slapcat -f /etc/ldap/slapd.conf > /var/backups/${DATE}-startup-data.ldif