mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-12-23 01:39:27 +02:00
126 lines
3.7 KiB
Markdown
126 lines
3.7 KiB
Markdown
OpenLDAP
|
|
========
|
|
|
|
[![](https://www.openldap.org/images/headers/LDAPworm.gif)](https://www.openldap.org/)
|
|
|
|
OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
|
|
|
|
## Directory Tree
|
|
|
|
```
|
|
├── data
|
|
│ ├── certs
|
|
│ │ ├── ca.crt
|
|
│ │ ├── ca.key
|
|
│ │ ├── ca.srl
|
|
│ │ ├── ldap.crt
|
|
│ │ ├── ldap.csr
|
|
│ │ └── ldap.key
|
|
│ ├── conf (auto generated)
|
|
│ │ ├── cn=config
|
|
│ │ ├── cn=config.ldif
|
|
│ │ └── docker-openldap-was-started-with-tls
|
|
│ └── data (auto generated)
|
|
│ ├── data.mdb
|
|
│ └── lock.mdb
|
|
└── docker-compose.yml
|
|
```
|
|
|
|
## docker-compose.yml
|
|
|
|
```yaml
|
|
version: "3.8"
|
|
|
|
services:
|
|
|
|
openldap:
|
|
image: osixia/openldap
|
|
command: "--loglevel debug"
|
|
hostname: ldap.easypi.duckdns.org
|
|
ports:
|
|
- "389:389"
|
|
- "636:636"
|
|
volumes:
|
|
- ./data/certs:/container/service/slapd/assets/certs
|
|
- ./data/etc:/etc/ldap/slapd.d
|
|
- ./data/var:/var/lib/ldap
|
|
- ./data/run:/container/run
|
|
environment:
|
|
- LDAP_ORGANISATION=EasyPi
|
|
- LDAP_DOMAIN=ldap.easypi.duckdns.org
|
|
- LDAP_ADMIN_PASSWORD=admin
|
|
- LDAP_CONFIG_PASSWORD=config
|
|
- LDAP_TLS=true
|
|
- LDAP_TLS_CA_CRT_FILENAME=ca.crt
|
|
- LDAP_TLS_CRT_FILENAME=ldap.crt
|
|
- LDAP_TLS_KEY_FILENAME=ldap.key
|
|
- LDAP_TLS_VERIFY_CLIENT=try
|
|
- LDAP_TLS_ENFORCE=true
|
|
restart: unless-stopped
|
|
|
|
# phpldapadmin:
|
|
# image: osixia/phpldapadmin
|
|
# command: "--loglevel debug"
|
|
# ports:
|
|
# - "8080:80"
|
|
# environment:
|
|
# # PHPLDAPADMIN_LDAP_HOSTS=#PYTHON2BASH:[{'ldap.easypi.duckdns.org':[{'server':[{'tls':True}]}]}]
|
|
# - PHPLDAPADMIN_LDAP_HOSTS=ldaps://ldap.easypi.duckdns.org/
|
|
# - PHPLDAPADMIN_HTTPS=false
|
|
# - PHPLDAPADMIN_TRUST_PROXY_SSL=true
|
|
# extra_hosts:
|
|
# - ldap.easypi.duckdns.org:x.x.x.x
|
|
# depends_on:
|
|
# - openldap
|
|
# restart: unless-stopped
|
|
```
|
|
|
|
> :warnning: I haven't figured out how to connect [phpldapadmin][1] to openladp via STARTTLS:
|
|
>> openldap_1 | 5d8a7abe conn=1023 fd=12 ACCEPT from IP=172.29.0.1:59342 (IP=0.0.0.0:389)
|
|
>> openldap_1 | 5d8a7abe conn=1023 op=0 EXT oid=1.3.6.1.4.1.1466.20037
|
|
>> openldap_1 | 5d8a7abe conn=1023 op=0 STARTTLS
|
|
>> openldap_1 | 5d8a7abe conn=1023 op=0 RESULT oid= err=0 text=
|
|
>> openldap_1 | 5d8a7abe conn=1023 fd=12 TLS established tls_ssf=256 ssf=256
|
|
>> openldap_1 | 5d8a7abe conn=1023 fd=12 closed (connection lost)
|
|
|
|
## Create Keys and Certificates
|
|
|
|
```bash
|
|
openssl req \
|
|
-x509 -nodes -days 3650 -sha256 \
|
|
-subj '/C=US/ST=Oregon/L=Portland/CN=easypi.duckdns.org' \
|
|
-newkey rsa:2048 -keyout ca.key -out ca.crt
|
|
|
|
openssl req \
|
|
-new -sha256 -newkey rsa:2048 -nodes \
|
|
-subj '/CN=ldap.easypi.duckdns.org/O=EasyPi/C=US/ST=Oregon/L=Portland' \
|
|
-keyout ldap.key -out ldap.csr
|
|
|
|
openssl x509 \
|
|
-req -days 3650 -sha256 \
|
|
-in ldap.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
|
-out ldap.crt
|
|
```
|
|
|
|
## Test the STARTTLS & SSL connections
|
|
|
|
```bash
|
|
$ docker-compose exec openldap bash
|
|
>>> ldapwhoami -H ldap://ldap.easypi.duckdns.org -x -ZZ
|
|
anonymous
|
|
>>> ldapwhoami -H ldaps://ldap.easypi.duckdns.org -x -D cn=admin,dc=ldap,dc=easypi,dc=duckdns,dc=org -w admin
|
|
dn:cn=admin,dc=ldap,dc=easypi,dc=duckdns,dc=org
|
|
>>> ldapsearch -H ldaps://ldap.easypi.duckdns.org -b dc=ldap,dc=easypi,dc=duckdns,dc=org -D cn=admin,dc=ldap,dc=easypi,dc=duckdns,dc=org -w admin
|
|
...
|
|
```
|
|
|
|
## GUI Client
|
|
|
|
- https://directory.apache.org/
|
|
|
|
## References
|
|
|
|
- https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
|
|
|
|
[1]: https://github.com/commandprompt/phpldapadmin/blob/master/config/config.php.example
|