Marc Wäckerlin
Für eine libertäre Schweiz

Setup OpenLDAP Server in Docker

December 23, 2016

Structure of OpenLDAP Docker COntainer

Run OpenLDAP Server

I provide an OpenLDAP docker image:

To run an OpenLDAP container, including a volume for the data simply run:

docker run -d --restart unless-stopped \
              --name openldap-volume \
              mwaeckerlin/openldap sleep infinity
docker run -d --restart unless-stopped \
              --name openldap \
              --volumes-from openldap-volume \
              -e DOMAIN="marc.waeckerlin.org" \
              -e ORGANIZATION="Marc Wäckerlin's Organization" \
              -e PASSWORD="ert456" \
              mwaeckerlin/openldap

To expose OpenLDAP from external, add option -p 389:389, but it is often enough to provide access to other local docker containers through their --link option. If you don’t pass -e PASSWORD="pw", then a password is generated. Enter docker logs -f openldap to see it.

Add Administration Interface

The simpelst way to administrate an OpenLDAP database is through LDAP Authentication Manager LAM. Feel free to use my docker image:

Start a container and connect it to the OpenLDAP container above. This time, you need external access:

docker run -d --restart unless-stopped \
              --name lam-volume \
              mwaeckerlin/lam sleep infinity
docker run -d --restart unless-stopped \
              -p 8080:80 \
              --name lam \
              --volumes-from lam-volume \
              --link openldap:ldap \
              mwaeckerlin/lam

Then head your browser to http://localhost:8080, got to  LAM configuration / Edit general settings, login with default password lam and Change master password. Then go back and still with password lam go to Edit server profiles to setup your OpenLDAP database. Set a password, configure your domain. Since you link by the name ldap, serveraddress is ldap://ldap:389. Tree suffix is taken from DOMAIN, so here it us dc=marc,dc=waeckerlin,dc=org. Security settings should first be your admin, which is here cn=admin,dc=marc,dc=waeckerlin,dc=org. The password here is to login to this server profile setup. Later, when you created other users, you can change the administrators. In Account types, change all dc=my-domain,dc=com to your domain, here dc=marc,dc=waeckerlin,dc=org. Everything else can remain default. Now you can login as admin with your openldap PASSWORD on the initial login screen, create the missing suffixes and start creating groups and users.

Yes, it is that simple to run an OpenLDAP server including a nice administration frontend.

TLS with SSL Certificate

Next tasks could be to add a certificate to the OpenLDAP server and to enable TLS. This way you could even provide your services to the Internet.

Get a certificate and place it in the right path. You need the CA chain certificate and a domain certificate file and a domain key file. The name of the file must match the domain:

docker cp ca-certfile.crt openldap:/ssl/certs/marc.waeckerlin.org-ca.crt
docker cp certfile.pem openldap:/ssl/certs/marc.waeckerlin.org.pem
docker cp certfile.key openldap:/ssl/certs/marc.waeckerlin.org.key

Thats is it, docker restart openldap and you can use TLS.

Kommentare