Welcome to the OpenLDAP docker setup ! This project provides a streamlined way to deploy an OpenLDAP server along with phpLDAPadmin and self-service-password interfaces. It is designed to simplify the setup and management of an LDAP environment, making it accessible for both development and production use.
- Easy deployment: With Docker Compose, you can quickly set up an OpenLDAP server, phpLDAPadmin, and self-service-password interfaces.
- Secure communication: Supports LDAPS for secure communication between clients and the server.
- Pre-configured modules: Includes modules for dynamic lists, memberOf, referential integrity and password policies.
- Service accounts: Dedicated organizational unit for service accounts with customizable access rights.
- Administration scripts: Includes scripts for managing users, groups, and service accounts.
- LDIF-based schema configuration: The schema is configured using LDIF files located in the
init-ldifdirectory, so avoid using OpenLDAP environment variables for schema creation.
- You must change all passwords
- For phpldapadmin and self-service-password, service accounts have been created and ACLs have been configured
- To login to phpldapadmin, the user
cn=admin,ou=users,dc=example,dc=orgis required with this configuration. Therefore, use the useradminand the passwordadmin
- docker
- docker compose
- ldap-utils
- pwgen
- Generate certificates (optional)
If you want to use StartTLS / LDAPS, generate the certificates by running the following command:
bash 00-certs.sh- Start the Docker containers
Launch the Docker Compose setup with the following command:
docker compose up -d- Run the initial setup
Execute the initial setup script to configure the OpenLDAP server:
bash 01-setup.shOnce the setup is complete, you can manage the LDAP server using ldapmodify or ldapadd commands.
Here are some useful LDAP commands to help you manage your OpenLDAP server:
- List data
To list data under dc=example,dc=org, use:
ldapsearch -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=org" -w "admin_PASSWORD" -b "dc=example,dc=org"- Add a resource
To add a resource using ldapmodify, use:
ldapmodify -x -a -H ldap://localhost:389 -D "cn=admin,dc=example,dc=org" -w "admin_PASSWORD" -f CUSTOM_FILE.ldif- List modules
To list the available modules, use:
ldapsearch -x -s one -H ldap://localhost:389 -D "cn=adminconfig,cn=config" -w "adminconfig_PASSWORD" -b cn=config "(objectClass=olcModuleList)" olcModuleLoad -LLL- Search for configuration
To search for specific configurations, use the following command:
ldapsearch -x -H ldap://localhost:389 -D "cn=adminconfig,cn=config" -w "adminconfig_PASSWORD" -b "olcDatabase={2}mdb,cn=config" olcAccessTo use TLS connection, you need to :
- Enable TLS in docker-compose.yml, uncomment these lines :
# - LDAP_ENABLE_TLS=yes
# - LDAP_REQUIRE_TLS=no
# - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
# - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
# - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt- Set the CA cert path as an environment variable:
export LDAPTLS_CACERT=PATH_CERT_CA
StartTLS : LDAPTLS_REQCERT=never ldapsearch -x -ZZ -H ldap://localhost:389 -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"
LDAPS : LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://localhost:636 -D "cn=admin,dc=example,dc=org" -w "adminpassword" -b "dc=example,dc=org"
It is highly recommended to save LDIF files on an encrypted partition, as they contain sensitive information, including passwords. Also, ensure that only authorized users have access to these files by setting appropriate permission on the host.
- Backup - config
docker exec openldap bash -c "slapcat -b "cn=config" -F /bitnami/openldap/slapd.d/ > /backup/config_$(date +%Y%m%d).ldif"- Backup - data
docker exec openldap bash -c "slapcat -b 'dc=example,dc=org' -F /bitnami/openldap/slapd.d/ > /backup/data_$(date +%Y%m%d).ldif"- Restore - config
docker compose down
rm -R ./data/slap.d/*
docker run --rm -v ./data:/bitnami/openldap -v ./backup:/backup bitnami/openldap:2.6.10 bash -c 'slapadd -b "cn=config" -F /bitnami/openldap/slapd.d/ -l /backup/config_DATE.ldif'
docker compose up -d- Restore - data
docker exec openldap bash -c "slapadd -b 'dc=example,dc=org' -F /bitnami/openldap/slapd.d/ -l /backup/data_DATE.ldif"# Daily backup of LDAP configuration and data at 10 p.m.
0 22 * * * docker exec openldap bash -c "slapcat -b 'cn=config' -F /bitnami/openldap/slapd.d/ > /backup/config_$(date +\%Y\%m\%d).ldif"
0 22 * * * docker exec openldap bash -c "slapcat -b 'dc=example,dc=org' -F /bitnami/openldap/slapd.d/ > /backup/data_$(date +\%Y\%m\%d).ldif"This project includes several administration scripts to manage users, groups, and service accounts in your OpenLDAP setup. These scripts are designed to simplify common tasks such as creating users, changing passwords, and managing groups.
For password creation or modification, a pwgen -s -y 32 1 is performed to generate a secure password, and print in stdout.
02-create-users.sh: Creates one or more users in the LDAP directory. You can optionally specify a group to which the users will be added.03-change-user-password.sh: Changes the password for a specified user.04-delete-users.sh: Deletes one or more users from the LDAP directory and removes them from any groups they belong to.05-create-group.sh: Creates a group and optionally adds members to it.06-add-service-account.sh: Adds a new service account to the LDAP directory.07-change-service-account-password.sh: Changes the password for a specified service account.08-delete-service-account.sh: Deletes a service account from the LDAP directory.
- Create users
To create users, use the 02-create-users.sh script followed by the usernames. Optionally, you can specify a group with the --group option. Password generation is done automatically.
Note: Usernames must follow the pattern firstname.lastname (e.g., john.doe). This format is required because the script splits the username to automatically populate the cn, sn, displayName, and other LDAP attributes.
bash 02-create-users.sh user1.name user2.name --group=groupName- Change user password
To change a user's password, use the 03-change-user-password.sh script followed by the username.
bash 03-change-user-password.sh user1.name- Delete users
To delete users, use the 04-delete-users.sh script followed by the usernames.
bash 04-delete-users.sh user1.name user2.name- Create group
To create a group, use the 05-create-groups.sh script followed by the group name and optional members.
bash 05-create-groups.sh groupName user1.name user2.name- Add service account
To add a service account and set its ACLs, use the 06-add-service-account.sh script followed by the service account name.
bash 06-add-service-account.sh serviceAccountName- Change service account password
To change a service account's password, use the 07-change-service-account-password.sh script followed by the service account name.
bash 07-change-service-account-password.sh serviceAccountName- Delete service account
To delete a service account, use the 08-delete-service-account.sh script followed by the service account name.
bash 08-delete-service-account.sh serviceAccountNameThese scripts provide a convenient way to manage your LDAP directory and can be customized further to fit your specific requirements.
To enable and configure the ppolicy module, use the following commands:
ldapmodify -x -a -H ldap://localhost:389 -D "cn=adminconfig,cn=config" -w "adminconfig_PASSWORD" -f ppolicy-module/01-enable-ppolicy-module.ldifldapadd -x -H ldap://localhost:389 -D "cn=admin,dc=example,dc=org" -w "admin_PASSWORD" -f ppolicy-module/02-default-ppolicy.ldifldapmodify -x -a -H ldap://localhost:389 -D "cn=adminconfig,cn=config" -w "adminconfig_PASSWORD" -f ppolicy-module/03-overlay-ppolicy-module.ldifService accounts are located in the ou=service-accounts organizational unit. After creating a service account, you need to define its access rights using an LDIF file. Here is an example:
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {X}to dn.subtree="ou=users,dc=example,dc=org"
by dn.exact="cn=phpldapadmin,ou=service-accounts,dc=example,dc=org" read
by * none
Apply the LDIF file using the following command:
ldapmodify -x -a -H ldap://localhost:389 -D "cn=adminconfig,cn=config" -w "adminconfig_PASSWORD" -f CUSTOM_FILE.ldifYou can test the access rights with a command like this:
ldapsearch -x -H ldap://localhost:389 -D "cn=phpldapadmin,ou=service-accounts,dc=example,dc=org" -w "phpldapadmin_PASSWORD" -b "ou=users,dc=example,dc=org" "(memberOf=cn=demo,ou=groups,dc=example,dc=org)"- Connection settings
Servers: ldap://IP_or_FQDN:389 (adjust for LDAPS)
BaseDn: dc=example,dc=org
BindDn: cn=admin,ou=users,dc=example,dc=org You could create service-account with right ACL instead of using cn=admin,ou=users,dc=example,dc=org
BindPassword: admin_PASSWORD
- User binding settings
User binding: cn
User filter: uid
User object classes: inetOrgPerson
- LDAP attributes
ID attribute: uid
Displayname attribute: displayName
Email attribute: mail
Given name attribute: givenName
Family name attribute: sn
Nickname attribute: givenName
This setup provides a robust and flexible LDAP environment that can be easily integrated with other systems and applications. Enjoy managing your LDAP server with ease !