Marc Wäckerlin
Für eine libertäre Schweiz

Setup OpenLDAP Server in Docker

December 23, 2016

Structure of OpenLDAP Docker COntainer

Run OpenLDAP Server

I provide an OpenLDAP docker image:

To run an OpenLDAP container, including a volume for the data simply run:

docker run -d --restart unless-stopped \
              --name openldap-volume \
              mwaeckerlin/openldap sleep infinity
docker run -d --restart unless-stopped \
              --name openldap \
              --volumes-from openldap-volume \
              -e DOMAIN="" \
              -e ORGANIZATION="Marc Wäckerlin's Organization" \
              -e PASSWORD="ert456" \

To expose OpenLDAP from external, add option -p 389:389, but it is often enough to provide access to other local docker containers through their --link option. If you don’t pass -e PASSWORD="pw", then a password is generated. Enter docker logs -f openldap to see it.

Add Administration Interface

The simpelst way to administrate an OpenLDAP database is through LDAP Authentication Manager LAM. Feel free to use my docker image:

Start a container and connect it to the OpenLDAP container above. This time, you need external access:

docker run -d --restart unless-stopped \
              --name lam-volume \
              mwaeckerlin/lam sleep infinity
docker run -d --restart unless-stopped \
              -p 8080:80 \
              --name lam \
              --volumes-from lam-volume \
              --link openldap:ldap \

Then head your browser to http://localhost:8080, got to  LAM configuration / Edit general settings, login with default password lam and Change master password. Then go back and still with password lam go to Edit server profiles to setup your OpenLDAP database. Set a password, configure your domain. Since you link by the name ldap, serveraddress is ldap://ldap:389. Tree suffix is taken from DOMAIN, so here it us dc=marc,dc=waeckerlin,dc=org. Security settings should first be your admin, which is here cn=admin,dc=marc,dc=waeckerlin,dc=org. The password here is to login to this server profile setup. Later, when you created other users, you can change the administrators. In Account types, change all dc=my-domain,dc=com to your domain, here dc=marc,dc=waeckerlin,dc=org. Everything else can remain default. Now you can login as admin with your openldap PASSWORD on the initial login screen, create the missing suffixes and start creating groups and users.

Yes, it is that simple to run an OpenLDAP server including a nice administration frontend.

TLS with SSL Certificate

Next tasks could be to add a certificate to the OpenLDAP server and to enable TLS. This way you could even provide your services to the Internet.

Get a certificate and place it in the right path. You need the CA chain certificate and a domain certificate file and a domain key file. The name of the file must match the domain:

docker cp ca-certfile.crt openldap:/ssl/certs/
docker cp certfile.pem openldap:/ssl/certs/
docker cp certfile.key openldap:/ssl/certs/

Thats is it, docker restart openldap and you can use TLS.


lam is not working as a password.

lam is only the default password for the LAM-backend. To access OpenLDAP, you need the DN and password of the OpenLDAP administrator, e.g. username cn=admin,dc=marc,dc=waeckerlin,dc=org and the password you pass in PASSWORD.

What is the Base DN? I used cn=People,dc=mydom,dc=org but that isn’t recognized as a valid Base DN.

If you just run mwaeckerlin/openldap and set -e DOMAIN="", then your base domain is dc=mydom,dc=org. The cn=People part and all other structures are generated when you first login in LAM (you will be asked if you want to generate them). In the configuration of LAM, you can set anything you want instead of People, e.g. user, so it’s freely configurable.

[…] for authentication: OpenLDAP […]

I am unable to set a password for a user. The button ‘Set Password’ does not do anything. I would expect a dialog to open where I can enter the user’s password. Thanks.

AlpNek, do you mean in LAM? Yes, in the user’s settings, «set password» opens a window to set a password. That’s a feature of the LDAP Account Manager, and it works for me, so if it does not work for you, it should not be because of the docker container. In that case, please address to the LAM-developpers.

LAM Set Password

Why are the volumes handled so weirdly?

That’s the old deprecated way. It would be done with docker volume.