Managing users, groups and their various permissions is one of the vital tasks for system admins in any organization. To make it easier, many opt to use a directory service. This provides a centralised database that holds all the information about resources and entities in a computer network. It makes it easier to access and manage information about various resources on the network such as users, computers, printers, applications, and other devices. The Microsoft Active Directory is one of the popularly used directory services. There are also many other directory services such as Novell eDirectory, LDAP etc.
Lightweight Directory Access Protocol abbreviated as LDAP is a protocol used to access and modify X.500-based directory service running over TCP/IP. This tool can be used for authentication and sharing of information about users, systems and applications over the network.
OpenLDAP is an open-source implementation of the LDAP. This tool provides a rich CLI that makes it easier to build and manage LDAP. There are several other reasons as to why OpenLDAP is preferred. Some of them include:
- Its cost-effectiveness considering the fact that it is free and open-source
- It has full compliance with the LDAP Data Interchange Format (LDIF) version 1
- It supports Simple Authentication, Security Layer and Transport Layer Security
- It offers flexibility thus providing a broad applicability.
- It supports Internet Protocol version 6
- It has cross-platform support. It supports Mac, Windows, and Linux systems.
In this guide, we will learn how to run OpenLDAP in Bitnami Docker Container. This method of installation is easier as it eliminates the tussle involved when setting up OpenLDAP. Thanks to Bitnami for packaging all the dependencies and libraries required to run OpenLDAP in a lightweight container.
1. Install Docker Container Engine
Before we dive in, it is recommended that you have Docker Engine and Docker Compose installed. To achieve that, you can use the guides below:
Verify the installation by running the commands:
$ docker version
Client: Docker Engine - Community
Version: 24.0.6
API version: 1.43
Go version: go1.20.7
Git commit: ed223bc
Built: Mon Sep 4 12:32:10 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.6
API version: 1.43 (minimum version 1.12)
Go version: go1.20.7
$ docker-compose version
Docker Compose version v2.23.02. Configure the OpenLDAP Container
When running OpenLDAP, there are quite a number of configurations you need to make. The Bitnami Docker container supports a number of configurations or environment variables. Below are some of the supported variables:
- LDAP_PORT_NUMBER: This is the port on which OpenLDAP is listening for requests. The default supported port here is 1389
- LDAP_ROOT: This is the baseDN of your LDAP tree. For example dc=example,dc=org
- LDAP_ADMIN_USERNAME: This is the admin user for the LDAP database
- LDAP_ADMIN_PASSWORD: The desired password for the admin user.
- LDAP_ADMIN_PASSWORD_FILE: You can use this to point to the file that contains the LDAP database admin user password instead of specifying the password directly in the YAML
- LDAP_CONFIG_ADMIN_ENABLED: This is used to specify whether to create a configuration admin user. Default: no
- LDAP_CONFIG_ADMIN_USERNAME: The username for the LDAP configuration admin user. This is separate from LDAP_ADMIN_USERNAME. Default: admin.
- LDAP_CONFIG_ADMIN_PASSWORD: A password for the config admin.
- LDAP_CONFIG_ADMIN_PASSWORD_FILE: This points to a file containing the LDAP configuration admin user password.
- LDAP_USERS: This is a list of users on your LDAP separated by commas. The users will be created in the default tree. For example user01,user02
- LDAP_PASSWORDS: A list of passwords to use for the LDAP users. For example: bitnami1,bitnami2
- LDAP_USER_DC: This is the users’ organizational unit. The default value is users.
- LDAP_GROUP: This is the group used for newly created users. Default: readers
- LDAP_EXTRA_SCHEMAS: This is used to add extra schemas among the OpenLDAP’s distributed schemas. Default: cosine, inetorgperson, nis
- LDAP_SKIP_DEFAULT_TREE: Used to specify whether to skip creating the default LDAP tree based on LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_DC and LDAP_GROUP.
- LDAP_CUSTOM_LDIF_DIR: Used to specify the location of LDIF files that should be used to bootstrap the database.
- LDAP_CUSTOM_SCHEMA_FILE: The location of a schema file that could not be added as a custom ldif file.
- LDAP_CUSTOM_SCHEMA_DIR: This is the directory of the custom schemas that could not be added as custom ldif files.
- LDAP_ULIMIT_NOFILES: This is the maximum number of open file descriptors. Default: 1024.
- LDAP_PASSWORD_HASH: The Hash that you want to be used in the generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: {SSHA}.
- LDAP_PPOLICY_HASH_CLEARTEXT: Used to specify if you want plaintext passwords should be hashed automatically. Will only be applied with LDAP_CONFIGURE_PPOLICY active. Default: no.
You also have the option to secure OpenLDAP using the following variables:
- LDAP_ENABLE_TLS: used to specify whether to enable TLS for traffic or not. Defaults to no.
- LDAP_REQUIRE_TLS: Used to set whether connections must use TLS. Will only be applied with LDAP_ENABLE_TLS active. Defaults to no.
- LDAP_LDAPS_PORT_NUMBER: This is the port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non-privileged port).
- LDAP_TLS_CERT_FILE: This is the file that contains the certificate file for the TLS traffic. No defaults.
- LDAP_TLS_KEY_FILE: the file that contains the key for the certificate. No defaults.
- LDAP_TLS_CA_FILE: The file with the CA of the certificate. No defaults.
- LDAP_TLS_DH_PARAMS_FILE: The file that has the DH parameters. No defaults.
For example, you can use a YAML file with the below syntax to secure your OpenLDAP instance.
services:
openldap:
...
environment:
...
- LDAP_ENABLE_TLS=yes
- LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
- LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
- LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt
...
volumes:
- /path/to/certs:/opt/bitnami/openldap/certs
- /path/to/openldap-data-persistence:/bitnami/openldap/
...
In this guide, we will use Docker Compose to configure and run the OpenLDAP Bitnami container. First, we will download the sample Docker Compose file:
curl -sSL https://raw.githubusercontent.com/bitnami/containers/main/bitnami/openldap/docker-compose.yml > docker-compose.ymlYou can then proceed and modify the container as desired.
vim docker-compose.ymlIn the file, you can update values as desired. In this guide, we will use the latest available Docker image and update the configs to suit our environment.
# Copyright VMware, Inc.
# SPDX-License-Identifier: APACHE-2.0
version: '2'
services:
openldap:
image: docker.io/bitnami/openldap:latest
ports:
- '389:1389'
- '636:1636'
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=adminpassword
- LDAP_USERS=user01,user02
- LDAP_PASSWORDS=password1,password2
- LDAP_ROOT=dc=computingforgeeks,dc=org
- LDAP_ADMIN_DN=cn=admin,dc=computingforgeeks,dc=org
volumes:
- 'openldap_data:/bitnami/openldap'
volumes:
openldap_data:
external: trueOnce all the desired settings have been made. Save the file and proceed as shown below.
3. Create the OpenLDAP Persistent Volume
For the container to persist its data after the system reboots, we need to have persistent storage created. Begin by creating the path on your host machine:
sudo mkdir -p /data/openldapSet the required permission and ownership:
sudo chmod 775 -R /data/openldap
sudo chown -R $USER:docker /data/openldapOn Rhel-base systems, you need to configure SELinux as shown:
sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/configNow create the volume as shown:
docker volume create --driver local \
--opt type=none \
--opt device=/data/openldap \
--opt o=bind openldap_dataCheck if the volume exists:
$ docker volume list
DRIVER VOLUME NAME
local openldap_data4. Start OpenLDAP in Bitnami Docker Container
Once all the above configurations have been made, we can proceed and start the container using the command:
docker compose up -dSample Output:
[+] Running 2/2
✔ openldap 1 layers [⣿] 0B/0B Pulled 5.6s
✔ f041216ccfa5 Pull complete 1.2s
[+] Running 2/2
✔ Network debian_default Created 0.1s
✔ Container debian-openldap-1 Started 0.5s Check if the container is up:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bc79a32a90dc bitnami/openldap:latest "/opt/bitnami/script…" 42 seconds ago Up 41 seconds 0.0.0.0:389->1389/tcp, :::389->1389/tcp, 0.0.0.0:636->1636/tcp, :::636->1636/tcp debian-openldap-1Now all the ports through the firewall:
##For UFW
sudo ufw allow 389/tcp
sudo ufw allow 636/tcp
##For Firewalld
sudo firewall-cmd --add-port=389/tcp --permanent
sudo firewall-cmd --add-port=636/tcp --permanent
sudo firewall-cmd --reload5. Setup OpenLDAP Client
To test if all is okay, we can set the OpenLDAP client on the desired system. There are several guides on how to set up your OpenLDAP client.
In this guide, we will setup an Ubuntu client. The first thing to do is setup the hostname for the client:
sudo hostnamectl set-hostname ldapclient.computingforgeeks.orgNext, configure resolution updating /etc/hosts:
$ sudo vim /etc/hosts
##OpenLDAP server
192.168.200.56 ldapmaster.computingforgeeks.org
##OpenLDAP Client
192.168.200.52 ldapclient.computingforgeeks.orgEnsure that the client can reach the OpenLDAP server:
$ sudo ping -c3 ldapmaster.computingforgeeks.org
PING ldapmaster.computingforgeeks.org (192.168.200.56) 56(84) bytes of data.
64 bytes from ldapmaster.computingforgeeks.org (192.168.200.56): icmp_seq=1 ttl=64 time=0.232 ms
64 bytes from ldapmaster.computingforgeeks.org (192.168.200.56): icmp_seq=2 ttl=64 time=0.248 ms
64 bytes from ldapmaster.computingforgeeks.org (192.168.200.56): icmp_seq=3 ttl=64 time=0.232 ms
--- ldapmaster.computingforgeeks.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2032ms
rtt min/avg/max/mdev = 0.232/0.237/0.248/0.007 msThen install all the required packages:
sudo apt update -y && sudo apt -y install libnss-ldap libpam-ldap ldap-utilsProceed and configure the LDAP URI. For our case, we will use ldap://:<hostname> or <IP> syntax as shown:
Set the ROOT DN of your search base
Set the LDAP version to be used:
Proceed and make local root Database admin
Answer the next question “Does the LDAP database require login?: with NO.
Set the root account:
Provide the password for the admin account:
Once the installation is complete, you will have your config saved at /etc/ldap.conf
Now open the below file and make these changes to the passwd and group lines:
$ sudo vim /etc/nsswitch.conf
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compatYou also need to modify the file below and modify line 26 as shown:
$ sudo vim /etc/pam.d/common-password
##Line 26
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_passYou also need to allow the user’s home directory to be created on the first login. To achieve that, add the below line at the end of the file:
$ sudo vim /etc/pam.d/common-session
session optional pam_mkhomedir.so skel=/etc/skel umask=077Now save the changes and test if you can log in to the system using the users created on OpenLDAP. For example:
ssh user01@localhostSample Output:
Verdict
That marks the end of the guide on how to run OpenLDAP in Bitnami Docker Container. I hope you learned something from it. See more on this page:
- How To Run OpenLDAP Server in Docker Containers
- Install and Configure OpenLDAP Server on Rocky Linux 8 / AlmaLinux 8
- Integrate TrueNAS with LDAP / Active Directory for user Authentication
