The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
This image is based on Alpine Linux, OpenLDAP and phpLDAPAdmin
docker run -dit -p 80:80 -p 389:389 -p 636:636 --restart unless-stopped --name openldap \
-e ORGANISATION_NAME="Test" \
-e SUFFIX="dc=test,dc=local" \
-e ROOT_USER="admin" \
-e ROOT_PW="password" \
mailsvb/openldap:latest
Override the following environment variables when running the docker container to customise LDAP:
| VARIABLE | DESCRIPTION | DEFAULT |
|---|---|---|
| ORGANISATION_NAME | Organisation name | Test |
| SUFFIX | Organisation distinguished name | dc=test,dc=local |
| ROOT_USER | Root username | admin |
| ROOT_PW | Root password | password |
| ACCESS_CONTROL | Global access control | access to * by * read |
| LOG_LEVEL | LDAP logging level, see below for valid values. | stats |
| NAME | DESCRIPTION |
|---|---|
| any | enable all debugging (warning! lots of messages will be output) |
| trace | trace function calls |
| packets | debug packet handling |
| args | heavy trace debugging |
| conns | connection management |
| BER | print out packets sent and received |
| filter | search filter processing |
| config | configuration processing |
| ACL | access control list processing |
| stats | stats log connections/operations/results |
| stats2 | stats log entries sent |
| shell | print communication with shell backends |
| parse | print entry parsing debugging |
| sync | syncrepl consumer processing |
| none | only messages that get logged whatever log level is set |
The container uses a standard mdb backend. To persist this database outside the
container mount /var/lib/openldap/openldap-data. For example:
docker run run -t -p 389:389 \
--mount source=openldap-data,target=/var/lib/openldap/openldap-data \
mailsvb/openldap:latest
The container can be started using the encrypted LDAPS protocol. You must provide all three TLS environment variables.
| VARIABLE | DESCRIPTION | EXAMPLE |
|---|---|---|
| CA_FILE | PEM-format file containing certificates for the CA's that slapd will trust | /etc/ssl/certs/ca.pem |
| KEY_FILE | The slapd server private key | /etc/ssl/certs/public.key |
| CERT_FILE | The slapd server certificate | /etc/ssl/certs/public.crt |
Note these variables inform the entrypoint script (executed on startup) where to find the SSL certificates inside the container. So the certificates must also be mounted at runtime too, for example:
docker run -t -p 389:389 \
-v /my-certs:/etc/ssl/certs \
-e CA_FILE /etc/ssl/certs/ca.pem \
-e KEY_FILE /etc/ssl/certs/public.key \
-e CERT_FILE /etc/ssl/certs/public.crt \
mailsvb/openldap:latest
Where /my-certs on the host contains the three certificate files ca.pem,
public.key and public.crt.
To disable client certificates set TLS_VERIFY_CLIENT to never or try.
Global access to your directory can be configured via the ACCESS_CONTROL environment variable.
The default policy allows anyone and everyone to read anything but restricts updates to rootdn.
access to * by * read
Note rootdn can always read and write everything!
You can find detailed documentation on access control here https://www.openldap.org/doc/admin24/access-control.html
This following access control allows the user to modify their entry, allows anonymous to authenticate against these entries, and allows all others to read these entries:
docker run -t -p 389:389 \
-e ACCESS_CONTROL="access to * by self write by anonymous auth by users read" \
mailsvb/openldap:latest
Now ldapsearch -x -b "dc=example,dc=com" "uid=pgarret" will return no results.
In order to search you will need to authenticate (bind) first:
ldapsearch -D "uid=pgarrett,ou=Users,dc=example,dc=com" -w password -b "dc=example,dc=com" "uid=pgarrett"