September 8, 2023

OpenLDAP Image and Custom LDIF with User and Group

Reference: https://hub.docker.com/r/bitnami/openldap

LDAP_PORT_NUMBER: The port OpenLDAP is listening for requests. Priviledged port is supported (e.g. 1389). Default: 1389 (non privileged port).

LDAP_ROOT: LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org

LDAP_ADMIN_USERNAME: LDAP database admin user. Default: admin

LDAP_ADMIN_PASSWORD: LDAP database admin password. Default: adminpassword

LDAP_CONFIG_ADMIN_ENABLED: Whether to create a configuration admin user. Default: no.

LDAP_USERS: Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02

LDAP_PASSWORDS: Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2

LDAP_USER_DC: DC for the users' organizational unit. Default: users

LDAP_GROUP: Group used to group created users. Default: readers

LDAP_ALLOW_ANON_BINDING: Allow anonymous bindings to the LDAP server. Default: yes.

LDAP_PASSWORD_HASH: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: {SSHA}.

LDAP_CUSTOM_LDIF_DIR: Location of a directory that contains LDIF files that should be used to bootstrap the database. Only files ending in .ldif will be used. Default LDAP tree based on the LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_DC and LDAP_GROUP will be skipped when LDAP_CUSTOM_LDIF_DIR is used. When using this it will override the usage of LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_DC and LDAP_GROUP. You should set LDAP_ROOT to your base to make sure the olcSuffix configured on the database matches the contents imported from the LDIF files. Default: /ldifs

LDAP_PASSWORD_HASH: Hash to be used in generation of user passwords. Must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. Default: {SSHA}.

Create a new directory ldif with custom LDIF for Users and Groups

dn: dc=magnuskkarlsson,dc=se
objectClass: dcObject
objectClass: organization
dc: magnuskkarlsson
o: Magnus K Karlsson

dn: ou=People,dc=magnuskkarlsson,dc=se
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=magnuskkarlsson,dc=se
objectClass: organizationalUnit
ou: Groups

## Users

dn: cn=john,ou=People,dc=magnuskkarlsson,dc=se
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
userPassword:: Yml0bmFtaTE=
cn: John
sn: Doe
mail: john.doe@domain.com
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/john

dn: cn=kate,ou=People,dc=magnuskkarlsson,dc=se
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: kate
userPassword:: Yml0bmFtaTE=
cn: Kate
sn: Doe
mail: kate.doe@domain.com
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/kate

## Groups

dn: cn=USER,ou=Groups,dc=magnuskkarlsson,dc=se
cn: USER
objectClass: groupOfNames
member: cn=john,ou=People,dc=magnuskkarlsson,dc=se
member: cn=kate,ou=People,dc=magnuskkarlsson,dc=se

dn: cn=ADMIN,ou=Groups,dc=magnuskkarlsson,dc=se
cn: ADMIN
objectClass: groupOfNames
member: cn=john,ou=People,dc=magnuskkarlsson,dc=se

$ podman run -d --name openldap \
    -e LDAP_ROOT=dc=magnuskkarlsson,dc=se \
    -e LDAP_ADMIN_USERNAME=admin \
    -e LDAP_ADMIN_PASSWORD=changeit \
    -e LDAP_CONFIG_ADMIN_ENABLED=true \
    -e LDAP_ALLOW_ANON_BINDING=false \
    -e LDAP_CUSTOM_LDIF_DIR=/ldifs \
    -p 1389:1389 \
    -p 1636:1636 \
    -v ./ldifs:/ldifs:Z \
    docker.io/bitnami/openldap:2.6

$ podman logs --follow openldap
...
 13:30:55.23 INFO  ==> Loading custom LDIF files...
 13:30:55.23 WARN  ==> Ignoring LDAP_USERS, LDAP_PASSWORDS, LDAP_USER_DC and LDAP_GROUP environment variables...
 13:30:56.35 INFO  ==> ** LDAP setup finished! **

And later to stop

$ podman stop openldap; podman rm openldap

Now verify ldap and it's entries. First install ldap client

$ sudo dnf install openldap-clients

$ ldapsearch -h
...
  -H URI     LDAP Uniform Resource Identifier(s)
  -D binddn  bind DN
  -x         Simple authentication  
  -w passwd  bind password (for simple authentication)
  -b basedn  base dn for search  
  -s scope   one of base, one, sub or children (search scope)
...

$ ldapsearch -H ldap://localhost:1389 -D cn=admin,dc=magnuskkarlsson,dc=se -w changeit -b dc=magnuskkarlsson,dc=se -s sub

GUI Administration Tools. Apache Directory Studio Eclipse-based LDAP tools

https://magnus-k-karlsson.blogspot.com/2015/02/understanding-ldap-and-ldap.html

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)