1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-06 03:54:01 +02:00
dockerfiles/openldap/README.md

126 lines
3.6 KiB
Markdown
Raw Normal View History

2018-10-30 09:56:55 +02:00
OpenLDAP
========
[![](https://www.openldap.org/images/headers/LDAPworm.gif)](https://www.openldap.org/)
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
## Directory Tree
```
├── data
│   ├── certs
│   │   ├── ca.crt
│   │   ├── ca.key
│   │   ├── ca.srl
│   │   ├── ldap.crt
│   │   ├── ldap.csr
│   │   └── ldap.key
│   ├── conf (auto generated)
│   │   ├── cn=config
│   │   ├── cn=config.ldif
│   │   └── docker-openldap-was-started-with-tls
│   └── data (auto generated)
│   ├── data.mdb
│   └── lock.mdb
└── docker-compose.yml
```
## docker-compose.yml
```yaml
2019-09-24 22:24:54 +02:00
version: "3.7"
services:
openldap:
image: osixia/openldap
command: "--loglevel debug"
hostname: ldap.easypi.pro
ports:
- "389:389"
- "636:636"
volumes:
- ./data/certs:/container/service/slapd/assets/certs
- ./data/etc:/etc/ldap/slapd.d
- ./data/var:/var/lib/ldap
- ./data/run:/container/run
environment:
- LDAP_ORGANISATION=EasyPi
- LDAP_DOMAIN=ldap.easypi.pro
- LDAP_ADMIN_PASSWORD=admin
- LDAP_CONFIG_PASSWORD=config
- LDAP_TLS=true
- LDAP_TLS_CA_CRT_FILENAME=ca.crt
- LDAP_TLS_CRT_FILENAME=ldap.crt
- LDAP_TLS_KEY_FILENAME=ldap.key
- LDAP_TLS_VERIFY_CLIENT=try
- LDAP_TLS_ENFORCE=true
restart: always
phpldapadmin:
image: osixia/phpldapadmin
2019-09-27 03:29:09 +02:00
command: "--loglevel debug"
2019-09-24 22:24:54 +02:00
ports:
- "8080:80"
environment:
2019-09-27 03:29:09 +02:00
# PHPLDAPADMIN_LDAP_HOSTS=#PYTHON2BASH:[{'ldap.easypi.pro':[{'server':[{'tls':True}]}]}]
- PHPLDAPADMIN_LDAP_HOSTS=ldaps://ldap.easypi.pro/
2019-09-24 22:24:54 +02:00
- PHPLDAPADMIN_HTTPS=false
2019-09-27 03:29:09 +02:00
- PHPLDAPADMIN_TRUST_PROXY_SSL=true
2019-09-24 22:24:54 +02:00
extra_hosts:
- ldap.easypi.pro:x.x.x.x
depends_on:
- openldap
restart: always
2018-10-30 09:56:55 +02:00
```
2019-09-27 03:29:09 +02:00
> :warnning: I haven't figured out how to connect [phpldapadmin][1] to openladp via STARTTLS:
2019-09-24 22:24:54 +02:00
>> openldap_1 | 5d8a7abe conn=1023 fd=12 ACCEPT from IP=172.29.0.1:59342 (IP=0.0.0.0:389)
>> openldap_1 | 5d8a7abe conn=1023 op=0 EXT oid=1.3.6.1.4.1.1466.20037
>> openldap_1 | 5d8a7abe conn=1023 op=0 STARTTLS
>> openldap_1 | 5d8a7abe conn=1023 op=0 RESULT oid= err=0 text=
>> openldap_1 | 5d8a7abe conn=1023 fd=12 TLS established tls_ssf=256 ssf=256
>> openldap_1 | 5d8a7abe conn=1023 fd=12 closed (connection lost)
2018-11-05 11:39:54 +02:00
2018-10-30 09:56:55 +02:00
## Create Keys and Certificates
```bash
openssl req \
-x509 -nodes -days 3650 -sha256 \
-subj '/C=US/ST=Oregon/L=Portland/CN=easypi.pro' \
-newkey rsa:2048 -keyout ca.key -out ca.crt
openssl req \
-new -sha256 -newkey rsa:2048 -nodes \
-subj '/CN=ldap.easypi.pro/O=EasyPi/C=US/ST=Oregon/L=Portland' \
-keyout ldap.key -out ldap.csr
openssl x509 \
-req -days 3650 -sha256 \
-in ldap.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out ldap.crt
```
2019-09-24 22:24:54 +02:00
## Test the STARTTLS & SSL connections
2018-10-30 09:56:55 +02:00
```bash
$ docker-compose exec openldap bash
>>> ldapwhoami -H ldap://ldap.easypi.pro -x -ZZ
anonymous
2019-09-24 22:24:54 +02:00
>>> ldapwhoami -H ldaps://ldap.easypi.pro -x -D cn=admin,dc=ldap,dc=easypi,dc=pro -w admin
dn:cn=admin,dc=ldap,dc=easypi,dc=pro
>>> ldapsearch -H ldaps://ldap.easypi.pro -b dc=ldap,dc=easypi,dc=pro -D cn=admin,dc=ldap,dc=easypi,dc=pro -w admin
...
2018-10-30 09:56:55 +02:00
```
2019-09-24 22:24:54 +02:00
## GUI Client
- https://directory.apache.org/
2018-10-30 09:56:55 +02:00
## References
- https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
2019-09-27 03:29:09 +02:00
[1]: https://github.com/commandprompt/phpldapadmin/blob/master/config/config.php.example