Setup OpenLDAP Server in Docker
Views: 31214
Run OpenLDAP Server
I provide an OpenLDAP docker image:
- source: https://github.com/mwaeckerlin/openldap
- image: https://hub.docker.com/r/mwaeckerlin/openldap
To run an OpenLDAP container, including a volume for the data simply run:
docker run -d --restart unless-stopped \ --name openldap-volume \ mwaeckerlin/openldap sleep infinity
docker run -d --restart unless-stopped \ --name openldap \ --volumes-from openldap-volume \ -e DOMAIN="marc.waeckerlin.org" \ -e ORGANIZATION="Marc Wäckerlin's Organization" \ -e PASSWORD="ert456" \ mwaeckerlin/openldap
To expose OpenLDAP from external, add option -p 389:389
, but it is often enough to provide access to other local docker containers through their --link
option. If you don’t pass -e PASSWORD="pw"
, then a password is generated. Enter docker logs -f openldap
to see it.
Add Administration Interface
The simpelst way to administrate an OpenLDAP database is through LDAP Authentication Manager LAM. Feel free to use my docker image:
Start a container and connect it to the OpenLDAP container above. This time, you need external access:
docker run -d --restart unless-stopped \ --name lam-volume \ mwaeckerlin/lam sleep infinity
docker run -d --restart unless-stopped \ -p 8080:80 \ --name lam \ --volumes-from lam-volume \ --link openldap:ldap \ mwaeckerlin/lam
Then head your browser to http://localhost:8080, got to LAM configuration
/ Edit general settings
, login with default password lam
and Change master password
. Then go back and still with password lam
go to Edit server profiles
to setup your OpenLDAP database. Set a password, configure your domain. Since you link by the name ldap, serveraddress
is ldap://ldap:389
. Tree suffix
is taken from DOMAIN, so here it us dc=marc,dc=waeckerlin,dc=org
. Security settings should first be your admin, which is here cn=admin,dc=marc,dc=waeckerlin,dc=org
. The password
here is to login to this server profile setup. Later, when you created other users, you can change the administrators. In Account types, change all dc=my-domain,dc=com
to your domain, here dc=marc,dc=waeckerlin,dc=org
. Everything else can remain default. Now you can login as admin with your openldap PASSWORD
on the initial login screen, create the missing suffixes and start creating groups and users.
Yes, it is that simple to run an OpenLDAP server including a nice administration frontend.
TLS with SSL Certificate
Next tasks could be to add a certificate to the OpenLDAP server and to enable TLS. This way you could even provide your services to the Internet.
Get a certificate and place it in the right path. You need the CA chain certificate and a domain certificate file and a domain key file. The name of the file must match the domain:
docker cp ca-certfile.crt openldap:/ssl/certs/marc.waeckerlin.org-ca.crt docker cp certfile.pem openldap:/ssl/certs/marc.waeckerlin.org.pem docker cp certfile.key openldap:/ssl/certs/marc.waeckerlin.org.key
Thats is it, docker restart openldap
and you can use TLS.
kabengwa mark patrick am 8. Januar 2018 um 16:10 Uhr
lam is not working as a password.
Marc Wäckerlin am 10. Januar 2018 um 20:43 Uhr
lam
is only the default password for the LAM-backend. To access OpenLDAP, you need the DN and password of the OpenLDAP administrator, e.g.username cn=admin,dc=marc,dc=waeckerlin,dc=org
and the password you pass inPASSWORD
.KenP am 12. März 2018 um 00:47 Uhr
What is the Base DN? I used cn=People,dc=mydom,dc=org but that isn’t recognized as a valid Base DN.
Marc Wäckerlin am 20. März 2018 um 09:18 Uhr
If you just run
mwaeckerlin/openldap
and set-e DOMAIN="mydom.org"
, then your base domain isdc=mydom,dc=org
. Thecn=People
part and all other structures are generated when you first login in LAM (you will be asked if you want to generate them). In the configuration of LAM, you can set anything you want instead ofPeople
, e.g.user
, so it’s freely configurable.Marc Wäckerlin – Backup Ubuntu to Docker am 8. April 2018 um 12:31 Uhr
[…] for authentication: OpenLDAP […]
AlpNek am 24. Mai 2018 um 04:10 Uhr
I am unable to set a password for a user. The button ‹Set Password› does not do anything. I would expect a dialog to open where I can enter the user’s password. Thanks.
Marc Wäckerlin am 25. Mai 2018 um 14:17 Uhr
AlpNek, do you mean in LAM? Yes, in the user’s settings, «set password» opens a window to set a password. That’s a feature of the LDAP Account Manager, and it works for me, so if it does not work for you, it should not be because of the docker container. In that case, please address to the LAM-developpers.
John Behm am 4. März 2019 um 15:18 Uhr
Why are the volumes handled so weirdly?
Marc Wäckerlin am 5. März 2019 um 15:23 Uhr
That’s the old deprecated way. It would be done with
docker volume
.Oscar am 17. Juni 2019 um 10:39 Uhr
Hello,
I’ve created a docker-compose.yml to run your LDAP server and LAM.
***********************************************
version: ‹2›
services:
openldap:
image: openldap:latest
container_name: openldap_arm64v8
environment:
DOMAIN: «oscardomain.com»
ORGANIZATION: «EC-org»
PASSWORD: «1234»
DEBUG_LEVEL: «1»
tty: true
stdin_open: true
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– «389:389»
– «636:636»
lam:
image: lam:latest
container_name: lam_arm64v8
volumes:
– /root/openldap/config/var-lib-ldap:/var/lib/ldap
– /root/openldap/config/etc-letsencrypt:/ssl
– /root/openldap/config/etc-ldap:/etc/ldap/
– /root/openldap/config/var-backups:/var/backups
– /root/openldap/config/var-restore:/var/restore
ports:
– «82:80»
depends_on:
– openldap
***********************************************
I have configured LAM as you explain, but changing the IP to the local one, not the docker dns name, because I’m using a port and not an expose. It seems to work.
When I try to create a user, it says: you must create a group.
When I go to create the group «admins_plus», I get an error: Was unable to create DN: cn=admins_plus,ou=group,dc=oscardomain,dc=com.
When I type on terminal: docker exec -it openldap_arm64v8 slapcat -l data.ldif
I get:
5d075e41 mdb_db_open: database «dc=my-domain,dc=com» cannot be opened: No such file or directory (2). Restore from backup!
5d075e41 backend_startup_one (type=mdb, suffix=»dc=my-domain,dc=com»): bi_db_open failed! (2)
slap_startup failed
What I’m doing wrong? Maybe when I define bind_mounts in docker-compose, your containers cannot create the database because they try to find it in the defined bind_volumes?
Thank you very much for your work, as you can see, I have built your containers to be used with ARM64v8, they work great.
Oscar
Oscar am 17. Juni 2019 um 11:02 Uhr
Solved! It was an error inside of LAM.
So, I have shared a working docker-compose.yml for ARM64, taking local images previously built.
It can be adapted again to Intel, just changing:
image: openldap:latest –>image: mwaeckerlin/openldap
and
image: lam:latest –>image: mwaeckerlin/lam
Thank you, Marc, for creating these nice docker containers :)
Oscar am 17. Juni 2019 um 11:28 Uhr
This is my third message:
Although I’m having this trouble: I cannot backup data.
root@myarmmachine:~/openldap/config/etc-ldap# docker exec -it openldap_arm64v8 sh
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif
5d076600 mdb_db_open: database «dc=my-domain,dc=com» cannot be opened: No such file or directory (2). Restore from backup!
5d076600 backend_startup_one (type=mdb, suffix=»dc=my-domain,dc=com»): bi_db_open failed! (2)
slap_startup failed
It should try to connect to «dc=oscardomain,dc=com», but i’ts trying to connect to my-domain.com (the default domain), although I’ve created the ENV domain: «oscardomain.com» in docker-compose.yml
I’ve checked /etc/ldap/slapd.conf and there’s no allusion to my-domain.com
If I try,
root@openldap[5b63aa30b2e2]:/# slapcat -l data.ldif -b «dc=oscardomain,dc=com»
slapcat: slap_init no backend for «dc=oscardomain,dc=com»
What am I doing wrong?
Although it’s a way to get it done, I’d like to use «slapcat»:
root@myarmmachine:~/openldap/config/var-backups# docker restart openldap_arm64v8
openldap_arm64v8
root@myarmmachine:~/openldap/config/var-backups# ls -l
total 4
-rw-r–r– 1 root root 2544 Jun 17 12:25 201906171006-startup-data.ldif
root@OdroidC2:~/openldap/config/var-backups#
Because, as you say in https://hub.docker.com/r/mwaeckerlin/openldap, Before every restart, a backup is generated in /var/backups/-startup-data.ldif.
Thank you again.
Marc Wäckerlin am 18. Juni 2019 um 15:44 Uhr
If you look into
start.sh
, you see, how I do the backup:derborisk am 14. August 2019 um 12:51 Uhr
First of all THX for your great work. The openldap container is working like a charm.
Nevertheless, one question. Is it possible to run the container with a preconfigured slapd.conf? An existing slapd.conf in volume „/etc/ldap“ is overwritten each time starting a NEW container. It would be great to use an existing configuration file if one exists instead of overwriting it.
Fred am 31. Oktober 2019 um 10:06 Uhr
Hi,
I’m trying to docker-compose this, but the data is never saved to volumes, and the env DOMAIN seems to not work.
What I’m doing wrong ?
version: ‹3›
services:
ldap:
image: mwaeckerlin/openldap:latest
container_name: ldap
restart: always
environment:
DOMAIN: «domain.org»
volumes:
– ldap-lib:/var/lib/ldap
– ldap-ssl:/ssl
– ldap-etc:/etc/ldap
– ldap-backups:/var/backups
– ldap-restore:/var/restore
ports:
– «389:389»
– «636:636»
networks:
– ldap-link
lam:
image: mwaeckerlin/lam:latest
container_name: lam
restart: always
volumes:
– ldap-lib:/var/lib/ldap
– ldap-ssl:/ssl
– ldap-etc:/etc/ldap
– ldap-backups:/var/backups
– ldap-restore:/var/restore
ports:
– «80:80»
networks:
– ldap-link
depends_on:
– ldap
networks:
ldap-link:
driver: bridge
volumes:
ldap-lib:
external: true
ldap-ssl:
external: true
ldap-etc:
external: true
ldap-backups:
external: true
ldap-restore:
external: true
Tolga Firatoglu am 27. Dezember 2019 um 16:51 Uhr
Hello, I get an error: «Mounts denied» when I try to add volumes as Oscar did.
Also, I tried to write my docker-compose file. It seems to be working, but the problem is 0.0.0.0:82 outputs an error when I try to login:»LDAP error, server says:
(-1) Can’t contact LDAP server»
Here’s my current docker-compose.yml. I’m locked with this and I’d be very happy if I can solve.
Thanks
version: ‹2›
services:
openldap:
image: mwaeckerlin/openldap
container_name: openldap_myproject
environment:
DOMAIN: «myproject.edu»
ORGANIZATION: «myproject-org»
PASSWORD: «admin»
DEBUG_LEVEL: «1»
tty: «1»
stdin_open: «1»
ports:
– «389:389»
– «636:636»
lam:
image: mwaeckerlin/lam
container_name: lam_engr
ports:
– «82:80»
depends_on:
– openldap
Srishti am 14. März 2020 um 22:40 Uhr
I have «cn=admin,dc=marc,dc=waeckerlin,dc=org» in my security settings. No matter what password I set, I get the following error:
«Wrong password/user name combination. Please try again.»
Marc Wäckerlin am 15. März 2020 um 23:57 Uhr
First of all, you probably want to change the distinguished name to something that fits your setup. Then, it should work with the password given in
-e PASSWORD=…
.JP am 8. April 2020 um 11:20 Uhr
Hey I’m trying to get STARTTLS to work with Letsencrypt certs. So far no luck. When using ldapsearch the response is «unsupported extended operation».
In docker-compose.yml I added the certs as the following:
– ./certbot/conf/live//chain.pem:/ssl/certs/-ca.crt
– ./certbot/conf/live//cert.pem:/ssl/certs/.pem
– ./certbot/conf/live//privkey.pem:/ssl/certs/.key
I also tried with the correct file ending (all *.pem) but had to change the keyfile to -key.pem
James am 3. Mai 2020 um 12:58 Uhr
Unfortunately TLS does not work. I followed the setup to the letter and I can make a normal non-TLS call:
docker exec $(docker ps | grep openldap | awk ‹{print $1}›) ldapsearch -x -H ldap://openldap -b dc=mydoain,dc=com -D «cn=admin,dc=mydomain,dc=com» -w 1234
But as soon as you add -ZZ, I get back:
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
and in the logs…
5eaeb1dd conn=1005 op=0 do_extended: unsupported operation «1.3.6.1.4.1.1466.20037»
Looks like my search for a working TLS openldap container is still on….
James am 3. Mai 2020 um 13:22 Uhr
TLS doesn’t work, tested with -ZZ. I documented it here: https://github.com/mwaeckerlin/openldap/issues/21.