A docker image to run an OpenLDAP cluster.
OpenLDAP website : www.openldap.org
Even if there are other popular open source alternatives for LDAP directory services like 389DS or ApacheDS, OpenLDAP still seems to be the quite stable and well-matured reference.
This is an OpenLDAP based Docker image that can be deployed as OpenLDAP (multi) master and/or slave and a stack.yml that showcases a cluster deployment as described in the picture.
We are providing it here, because we need a flexible centralized LDAP user management backend for our project and existing solutions like the cool stuff from Osixia doesn't fit perfectly for us.
It's available via Dockerhub.
You start and stop the stack as usual:
docker-compose -f stack.yml up -d [--build]
docker-compose -f stack.yml downAccess the LDAP slave frontends and master backends:
# frontend
ldapsearch -LLL -H ldaps://localhost -D 'cn=Configuration Manager,cn=config' -w root -b 'cn=config'
ldapsearch -LLL -H ldaps://localhost -D 'cn=Directory Manager,o=example' -w root -b 'o=example'
# backend
ldapsearch -LLL -H ldaps://localhost:42636 -D 'cn=Configuration Manager,cn=config' -w root -b 'cn=config'
ldapsearch -LLL -H ldaps://localhost:42636 -D 'cn=Directory Manager,o=example' -w root -b 'o=example'Eclipse Photon with Apache Directory Studio 2.0.0.v20180908-M14 is known as working LDAP UI workhorse.
Of course, you can build by your own as usual:
docker build --tag=dsc dsc/Basic configuration via:
| environment | default | |
|---|---|---|
| DSC_SLAVE | no | master mode is the default |
| DSC_SERVER_ID | 1 | unique server id for masters |
| DSC_DB_SUFFIX | o=example | |
| DSC_MASTERS | ldap://localhost | other masters to sync with |
| DSC_ROOT_PASS | root | cn=Configuration Manager,cn=configcn=Directory Manager,{{DSC_DB_SUFFIX}} |
| DSC_ADMIN_PASS | admin | cn=admin,ou=admins,{{DSC_DB_SUFFIX}} |
| DSC_READ_PASS | read | cn=reader,ou=admins,{{DSC_DB_SUFFIX}} |
| DSC_SYNC_PASS | sync | cn=sync,ou=admins,{{DSC_DB_SUFFIX}} |
Look to docker-entrypoint.sh for more details...
...and to stack.yml for an example.
We are using:
- Alpine as container OS
- Alpine OpenLDAP packages
- Tini as explicit
initfor containers instead of--init - mo as mustache template engine
- NGINX as ingress TCP loadbalancer with TLS termination or bridging
- add self service to the stack
- add SASL pass-trough auth to the stack
- provide a default password policy
- add OpenID Connect provider to the stack
- make TLS and sync replication more configurable
- streamline ACL
- document pre-defined DIT model
- provide Helm K8s example deployment
Written with StackEdit.