Welcome to this guide on how to run OpenLDAP Server in Docker Containers. LDAP, an acronym for Lightweight Directory Access Protocol is a protocol used to access and modify X.500-based directory service running over TCP/IP. It is used to share information about users, systems, networks, services, and applications from a directory service to other services/applications. OpenLDAP is a free and open-source implementation of LDAP. This tool is developed by the OpenLDAP Project and released under the unique BSD-style license called the OpenLDAP Public License.
OpenLDAP provides a command line from which system admins can build and manage the LDAP directory. This requires one to have a deep knowledge of the LDAP protocol and structure. However, this tussle can be swept away by using third-party applications like phpLDAPadmin. This is a web application from which one can interact with OpenLDAP via a simple UI.
OpenLDAP is preferred due to:
- Low Costs – It is free, making it a common choice for startups.
- OS-Agnosticism – It is fully supported on Mac, Windows, and Linux systems.
- Flexibility – This gives it broad applicability.
Now let’s dive in and enjoy!.
#1. Install Docker Engine
It will be best if you have the following done before you begin the setup of OpenLDAP Server in Docker Containers.
- Update the system and install the required packages
## On Debian/Ubuntu
sudo apt update && sudo apt upgrade
sudo apt install curl vim git
## On RHEL/CentOS/RockyLinux 8
sudo yum -y update
sudo yum -y install curl vim git
## On Fedora
sudo dnf update
sudo dnf -y install curl vim git
- Install Docker Engine on your system. The below guide can help you achieve this.
Once installed, add your system user to the docker group.
sudo usermod -aG docker $USER
newgrp docker
Start and enable the docker service.
sudo systemctl start docker && sudo systemctl enable docker
#2. Provision OpenLDAP Docker Container
Running OpenLDAP in Docker containers requires one to define a few desired variables. There are quite a number of variables one can use when running the container.
To run a basic OpenLDAP container, use the command:
docker run --name openldap-server \
--env LDAP_ORGANISATION="My Company" \
--env LDAP_DOMAIN="ldap.example.com" \
--env LDAP_ADMIN_PASSWORD="StrongAdminPassw0rd" \
--detach osixia/openldap:latest
The above command will create a container with the domain name ldap.example.com, and the password for the admin as StrongAdminPassw0rd.
Data persistence
It is possible to create an OpenLDAP container that persists data. The directories /var/lib/ldap for the database and /etc/ldap/slapd.d for LDAP configurations need to be mapped for the data to be saved outside the container.
Delete current container:
docker rm -f openldap-server
First, create the Data volumes.
sudo mkdir -p /data/slapd/config
sudo mkdir /data/slapd/database
Set the right permissions.
sudo chmod 775 -R /data/slapd
sudo chown -R $USER:docker /data/slapd
On Rhel-based systems, configure SELinux as below.
sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
You can now use the two volumes for data persistence by mapping them as shown:
docker run --name openldap-server \
--env LDAP_ORGANISATION="My Company" \
--env LDAP_DOMAIN="ldap.example.com" \
--env LDAP_ADMIN_PASSWORD="StrongAdminPassw0rd" \
--volume /data/slapd/database:/var/lib/ldap \
--volume /data/slapd/config:/etc/ldap/slapd.d \
--detach osixia/openldap:latest
Configure TLS
When running OpenLDAP in docker containers, SSL is enabled by default and uses its own generated certificates. However, you can use custom certificates at your runtime. The directory containing the certificates needs to be mapped to /container/service/slapd/assets/certs, then names adjusted.
.....
--volume /path/to/certificates:/container/service/slapd/assets/certs \
--env LDAP_TLS_CRT_FILENAME=my-ldap.crt \
--env LDAP_TLS_KEY_FILENAME=my-ldap.key \
--env LDAP_TLS_CA_CRT_FILENAME=the-ca.crt \
.......
To disable SSL, the variable below can be used:
......
--env LDAP_TLS=false
.....
Set OpenLDAP Base DN
You can also set the Base DN when running the container. The environment variable is used as shown.
....
--env LDAP_BASE_DN="dc=neveropen,dc=com"
....
#3. Run OpenLDAP in Docker Containers
The above variables can now be put together when initializing the OpenLDAP container as shown.
docker run \
--name openldap-server \
-p 389:389 \
-p 636:636 \
--hostname ldap.geeksforgeeks.org \
--env LDAP_ORGANISATION="My Company" \
--env LDAP_DOMAIN="geeksforgeeks.org" \
--env LDAP_ADMIN_PASSWORD="StrongAdminPassw0rd" \
--env LDAP_BASE_DN="dc=neveropen,dc=com" \
--volume /data/slapd/database:/var/lib/ldap \
--volume /data/slapd/config:/etc/ldap/slapd.d \
--detach osixia/openldap:latest
Verify if the container is running with the ports exposed.
$ docker ps
24ce38a6c74f osixia/openldap:latest "/container/tool/run" 8 seconds ago Up 6 seconds 0.0.0.0:389->389/tcp, :::389->389/tcp, 0.0.0.0:636->636/tcp, :::636->636/tcp openldap-server
If you have a firewall enabled, allow the ports through it:
##For UFW
sudo ufw allow 389/tcp
sudo ufw allow 636/tcp
##For Firewalld
sudo firewall-cmd --add-port=389/tcp --permanent
sudo firewall-cmd --add-port=636/tcp --permanent
sudo firewall-cmd --reload
#4. Run phpLDAPadmin In Docker Containers
For easier administration, we will run phpLDAPadmin in Docker as well. This will provide a web UI to easily populate users and groups for OpenLDAP.
docker run \
--name phpldapadmin \
-p 10080:80 \
-p 10443:443 \
--hostname phpldapadmin-service \
--link openldap-server:ldap-host \
--env PHPLDAPADMIN_LDAP_HOSTS=ldap.geeksforgeeks.org \
--detach osixia/phpldapadmin:latest
Verify if the container is running:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
785ca2657e65 osixia/phpldapadmin:latest "/container/tool/run" 5 seconds ago Up 4 seconds 0.0.0.0:10080->80/tcp, :::10080->80/tcp, 0.0.0.0:10443->443/tcp, :::10443->443/tcp phpldapadmin-service
24ce38a6c74f osixia/openldap:latest "/container/tool/run" About a minute ago Up About a minute 0.0.0.0:389->389/tcp, :::389->389/tcp, 0.0.0.0:636->636/tcp, :::636->636/tcp phpldapadmin
#5. Access the OpenLDAP via Web UI
You can now proceed and access OpenLDAP via the Web UI using the URL https://IP_Address:10443.
Log in to the interface. For this case the credentials will be:
Login DN = cn=admin,dc=neveropen,dc=com
Password = StrongAdminPassw0rd
Fill in the credentials as shown below.
On successful login, you will see the below dashboard.
1. Create Organizational Units
Click on the “dc=neveropen,dc=com”-> Create a child Entry to create a new Organizational Unit.
There are several entries. For this guide, we will create two categories; groups and users. So we will proceed with the Generic: Organizational Unit template. Provide the name of the organizational unit(groups)
Proceed and commit the made changes.
You can repeat the same to create an entry for users. Remember this child Entry is created on dc=neveropen,dc=com
After this, the new entries will be added.
2. Create Groups
We can now create groups with the required access rights. To create a group, click on the Groups category created.
Click on Create a child entry and choose Generic: Posix Group.
Provide the group name say “employer” and click on Create Object.
Commit the changes made.
You can repeat the same process when creating another group say “employees“. The created groups will appear as shown.
View details for the groups by clicking on the ou=groups category then View 2 children.
3. Create Users.
Begin by clicking the “ou=users” category. Then “Create a child entry”.
On the entry list, click on Generic: User Account
Proceed and provide the details for the user.
Create and proceed to commit the changes.
Use this procedure to create more and more users. View the users by clicking on the “ou=users” category and view 2*+ children
4. Add Users to Groups
Users can be added to desired groups. This is done by clicking on ou=groups-> Desired group and selecting “Add new attribute”
Proceed and select “memberUid” from the drop-down list.
In the text box, provide the user to be added and click update.
Commit the changes.
You can now add more members by clicking modify group members.
Select the members to be added and save the changes.
Voila!
That marks the end of this guide on how to run OpenLDAP Server in Docker Containers. You now have your OpenLDAP Server running with users and groups added. I hope this was significant.
Related posts:
- Configure oVirt / RHEV User Authentication using FreeIPA LDAP
- Setup OpenLDAP Multi-Master Replication on CentOS 8
- Install LDAP Account Manager on CentOS 8