Marc Wäckerlin
Für eine libertäre Gesellschaft

Setup OpenLDAP Server in Docker

Dezember 23, 2016

Views: 31214

Structure of OpenLDAP Docker COntainer

Run OpenLDAP Server

I provide an OpenLDAP docker image:

To run an OpenLDAP container, including a volume for the data simply run:

docker run -d --restart unless-stopped \
              --name openldap-volume \
              mwaeckerlin/openldap sleep infinity
docker run -d --restart unless-stopped \
              --name openldap \
              --volumes-from openldap-volume \
              -e DOMAIN="marc.waeckerlin.org" \
              -e ORGANIZATION="Marc Wäckerlin's Organization" \
              -e PASSWORD="ert456" \
              mwaeckerlin/openldap

To expose OpenLDAP from external, add option -p 389:389, but it is often enough to provide access to other local docker containers through their --link option. If you don’t pass -e PASSWORD="pw", then a password is generated. Enter docker logs -f openldap to see it.

Add Administration Interface

The simpelst way to administrate an OpenLDAP database is through LDAP Authentication Manager LAM. Feel free to use my docker image:

Start a container and connect it to the OpenLDAP container above. This time, you need external access:

docker run -d --restart unless-stopped \
              --name lam-volume \
              mwaeckerlin/lam sleep infinity
docker run -d --restart unless-stopped \
              -p 8080:80 \
              --name lam \
              --volumes-from lam-volume \
              --link openldap:ldap \
              mwaeckerlin/lam

Then head your browser to http://localhost:8080, got to  LAM configuration / Edit general settings, login with default password lam and Change master password. Then go back and still with password lam go to Edit server profiles to setup your OpenLDAP database. Set a password, configure your domain. Since you link by the name ldap, serveraddress is ldap://ldap:389. Tree suffix is taken from DOMAIN, so here it us dc=marc,dc=waeckerlin,dc=org. Security settings should first be your admin, which is here cn=admin,dc=marc,dc=waeckerlin,dc=org. The password here is to login to this server profile setup. Later, when you created other users, you can change the administrators. In Account types, change all dc=my-domain,dc=com to your domain, here dc=marc,dc=waeckerlin,dc=org. Everything else can remain default. Now you can login as admin with your openldap PASSWORD on the initial login screen, create the missing suffixes and start creating groups and users.

Yes, it is that simple to run an OpenLDAP server including a nice administration frontend.

TLS with SSL Certificate

Next tasks could be to add a certificate to the OpenLDAP server and to enable TLS. This way you could even provide your services to the Internet.

Get a certificate and place it in the right path. You need the CA chain certificate and a domain certificate file and a domain key file. The name of the file must match the domain:

docker cp ca-certfile.crt openldap:/ssl/certs/marc.waeckerlin.org-ca.crt
docker cp certfile.pem openldap:/ssl/certs/marc.waeckerlin.org.pem
docker cp certfile.key openldap:/ssl/certs/marc.waeckerlin.org.key

Thats is it, docker restart openldap and you can use TLS.

comments title

lam is not working as a password.

lam is only the default password for the LAM-backend. To access OpenLDAP, you need the DN and password of the OpenLDAP administrator, e.g. username cn=admin,dc=marc,dc=waeckerlin,dc=org and the password you pass in PASSWORD.

What is the Base DN? I used cn=People,dc=mydom,dc=org but that isn’t recognized as a valid Base DN.

If you just run mwaeckerlin/openldap and set -e DOMAIN="mydom.org", then your base domain is dc=mydom,dc=org. The cn=People part and all other structures are generated when you first login in LAM (you will be asked if you want to generate them). In the configuration of LAM, you can set anything you want instead of People, e.g. user, so it’s freely configurable.

[…] for authentication: OpenLDAP […]

I am unable to set a password for a user. The button ‹Set Password› does not do anything. I would expect a dialog to open where I can enter the user’s password. Thanks.

AlpNek, do you mean in LAM? Yes, in the user’s settings, «set password» opens a window to set a password. That’s a feature of the LDAP Account Manager, and it works for me, so if it does not work for you, it should not be because of the docker container. In that case, please address to the LAM-developpers.

LAM Set Password

Why are the volumes handled so weirdly?

That’s the old deprecated way. It would be done with docker volume.

Hello,
I’ve created a docker-compose.yml to run your LDAP server and LAM.
***********************************************
version: ‹2›
services:
openldap:
image: openldap:latest
container_name: openldap_arm64v8
environment:
DOMAIN: «oscardomain.com»
ORGANIZATION: «EC-org»
PASSWORD: «1234»
DEBUG_LEVEL: «1»
tty: true
stdin_open: true
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– «389:389»
– «636:636»
lam:
image: lam:latest
container_name: lam_arm64v8
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– «82:80»
depends_on:
– openldap
***********************************************
I have configured LAM as you explain, but changing the IP to the local one, not the docker dns name, because I’m using a port and not an expose. It seems to work.
When I try to create a user, it says: you must create a group.
When I go to create the group «admins_plus», I get an error: Was unable to create DN: cn=admins_plus,ou=group,dc=oscardomain,dc=com.

When I type on terminal: docker exec -it openldap_arm64v8 slapcat -l data.ldif
I get:
5d075e41 mdb_db_open: database «dc=my-domain,dc=com» cannot be opened: No such file or directory (2). Restore from backup!
5d075e41 backend_startup_one (type=mdb, suffix=»dc=my-domain,dc=com»): bi_db_open failed! (2)
slap_startup failed

What I’m doing wrong? Maybe when I define bind_mounts in docker-compose, your containers cannot create the database because they try to find it in the defined bind_volumes?

Thank you very much for your work, as you can see, I have built your containers to be used with ARM64v8, they work great.

Oscar

Solved! It was an error inside of LAM.

So, I have shared a working docker-compose.yml for ARM64, taking local images previously built.
It can be adapted again to Intel, just changing:
image: openldap:latest –>image: mwaeckerlin/openldap
and
image: lam:latest –>image: mwaeckerlin/lam

Thank you, Marc, for creating these nice docker containers :)

This is my third message:

Although I’m having this trouble: I cannot backup data.

root@myarmmachine:~/openldap/config/etc-ldap# docker exec -it openldap_arm64v8 sh
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif
5d076600 mdb_db_open: database «dc=my-domain,dc=com» cannot be opened: No such file or directory (2). Restore from backup!
5d076600 backend_startup_one (type=mdb, suffix=»dc=my-domain,dc=com»): bi_db_open failed! (2)
slap_startup failed

It should try to connect to «dc=oscardomain,dc=com», but i’ts trying to connect to my-domain.com (the default domain), although I’ve created the ENV domain: «oscardomain.com» in docker-compose.yml

I’ve checked /etc/ldap/slapd.conf and there’s no allusion to my-domain.com

If I try,
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif -b «dc=oscardomain,dc=com»
slapcat: slap_init no backend for «dc=oscardomain,dc=com»

What am I doing wrong?

Although it’s a way to get it done, I’d like to use «slapcat»:
root@myarmmachine:~/openldap/config/var-backups# docker restart openldap_arm64v8
openldap_arm64v8
root@myarmmachine:~/openldap/config/var-backups# ls -l
total 4
-rw-r–r– 1 root root 2544 Jun 17 12:25 201906171006-startup-data.ldif
root@OdroidC2:~/openldap/config/var-backups#

Because, as you say in https://hub.docker.com/r/mwaeckerlin/openldap, Before every restart, a backup is generated in /var/backups/-startup-data.ldif.

Thank you again.

If you look into start.sh, you see, how I do the backup:

slapcat -f /etc/ldap/slapd.conf > /var/backups/${DATE}-startup-data.ldif

First of all THX for your great work. The openldap container is working like a charm.

Nevertheless, one question. Is it possible to run the container with a preconfigured slapd.conf? An existing slapd.conf in volume „/etc/ldap“ is overwritten each time starting a NEW container. It would be great to use an existing configuration file if one exists instead of overwriting it.

Hi,
I’m trying to docker-compose this, but the data is never saved to volumes, and the env DOMAIN seems to not work.
What I’m doing wrong ?

version: ‹3›
services:
ldap:
image: mwaeckerlin/openldap:latest
container_name: ldap
restart: always
environment:
DOMAIN: «domain.org»
volumes:
– ldap-lib:/var/lib/ldap
– ldap-ssl:/ssl
– ldap-etc:/etc/ldap
– ldap-backups:/var/backups
– ldap-restore:/var/restore
ports:
– «389:389»
– «636:636»
networks:
– ldap-link
lam:
image: mwaeckerlin/lam:latest
container_name: lam
restart: always
volumes:
– ldap-lib:/var/lib/ldap
– ldap-ssl:/ssl
– ldap-etc:/etc/ldap
– ldap-backups:/var/backups
– ldap-restore:/var/restore
ports:
– «80:80»
networks:
– ldap-link
depends_on:
– ldap
networks:
ldap-link:
driver: bridge
volumes:
ldap-lib:
external: true
ldap-ssl:
external: true
ldap-etc:
external: true
ldap-backups:
external: true
ldap-restore:
external: true

Hello, I get an error: «Mounts denied» when I try to add volumes as Oscar did.

Also, I tried to write my docker-compose file. It seems to be working, but the problem is 0.0.0.0:82 outputs an error when I try to login:»LDAP error, server says:
(-1) Can’t contact LDAP server»

Here’s my current docker-compose.yml. I’m locked with this and I’d be very happy if I can solve.
Thanks

version: ‹2›
services:
openldap:
image: mwaeckerlin/openldap
container_name: openldap_myproject
environment:
DOMAIN: «myproject.edu»
ORGANIZATION: «myproject-org»
PASSWORD: «admin»
DEBUG_LEVEL: «1»
tty: «1»
stdin_open: «1»
ports:
– «389:389»
– «636:636»
lam:
image: mwaeckerlin/lam
container_name: lam_engr
ports:
– «82:80»
depends_on:
– openldap

I have «cn=admin,dc=marc,dc=waeckerlin,dc=org» in my security settings. No matter what password I set, I get the following error:
«Wrong password/user name combination. Please try again.»

First of all, you probably want to change the distinguished name to something that fits your setup. Then, it should work with the password given in -e PASSWORD=….

Hey I’m trying to get STARTTLS to work with Letsencrypt certs. So far no luck. When using ldapsearch the response is «unsupported extended operation».
In docker-compose.yml I added the certs as the following:

– ./certbot/conf/live//chain.pem:/ssl/certs/-ca.crt
– ./certbot/conf/live//cert.pem:/ssl/certs/.pem
– ./certbot/conf/live//privkey.pem:/ssl/certs/.key

I also tried with the correct file ending (all *.pem) but had to change the keyfile to -key.pem

Unfortunately TLS does not work. I followed the setup to the letter and I can make a normal non-TLS call:

docker exec $(docker ps | grep openldap | awk ‹{print $1}›) ldapsearch -x -H ldap://openldap -b dc=mydoain,dc=com -D «cn=admin,dc=mydomain,dc=com» -w 1234

But as soon as you add -ZZ, I get back:

ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation

and in the logs…

5eaeb1dd conn=1005 op=0 do_extended: unsupported operation «1.3.6.1.4.1.1466.20037»

Looks like my search for a working TLS openldap container is still on….

TLS doesn’t work, tested with -ZZ. I documented it here: https://github.com/mwaeckerlin/openldap/issues/21.