This is the default behavior when you run this image. It will create an empty ldap for the company Example Inc. and the domain example.org.
Two passwords are required to startup the container:
LDAP_ADMIN_PASSWORD
Ldap admin password for cn=admin,dc=example,dc=org
LDAP_CONFIG_PASSWORD
Ldap admin password for cn=admin,dc=example,dc=org
The command to run this container is:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
To test the container a LDAP search could be issued:
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
In all examples, podman
can be replaced directly with docker
.
The directories /var/lib/ldap
(LDAP database files) and
/etc/openldap/slapd.d
(LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the LDAP_UID
and LDAP_GID
environment variables needs to be set
explicitly:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
Since slapd.conf is not used the ldap utils ldapmodify
, ldapadd
and
ldapdelete
are required to adjust the server configuration.
This image can load ldif and schema files at startup from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable LDAP_SEED_LDIF_PATH
and/or
LDAP_SEED_SCHEMA_PATH
. If set this will copy any .ldif or .schema file
into the default seeding directories of this image.
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
podman run --hostname ldap.example.org ...
You can set your custom certificate at run time, by mounting a volume with the certificates into the container and adjusting the following environment variables:
podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
The variables LDAP_TLS_CA_CRT
, LDAP_TLS_CRT
and LDAP_TLS_KEY
are stored
during the first start of the container in the LDAP configuration. Changes to
the variables on further starts will have no affect.
An example with certificates from Let's Encrypt
:
podman run -v /etc/letsencrypt:/etc/letsencrypt \
-e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
-e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
-e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
-d registry.opensuse.org/opensuse/openldap:latest
Add --env LDAP_TLS=0 to the run command: podman run -e LDAP_TLS=0 ...
DEBUG=[0|1]
Enables "set -x" in the entrypoint scriptTZ
Timezone to use in the containerLDAP_DOMAIN
Ldap domain. Defaults to example.org
LDAP_BASE_DN
Ldap base DN. If empty automatically set from LDAP_DOMAIN
value. Defaults to (empty
)LDAP_ORGANIZATION
Organization name. Defaults to Example Inc.
LDAP_ADMIN_PASSWORD
Ldap admin password. It's required to supply one if no database exists at startup.LDAP_CONFIG_PASSWORD
Ldap config password. It's required to supply one if no database exists at startup.LDAP_BACKEND
Database backend, defaults to mdb
LDAP_SEED_LDIF_PATH
Path with additional ldif files which will be loadedLDAP_SEED_SCHEMA_PATH
Path with additional schema which will be loadedLDAP_TLS=[1|0]
Enable TLS. Defaults to 1
(true).LDAP_TLS_CA_CRT
LDAP ssl CA certificate. Defaults to /etc/openldap/certs/openldap-ca.crt
.LDAP_TLS_CA_KEY
Private LDAP CA key. Defaults to /etc/openldap/certs/openldap-ca.key
.LDAP_TLS_CRT
LDAP ssl certificate. Defaults to /etc/openldap/certs/tls.crt
.LDAP_TLS_KEY
Private LDAP ssl key. Defaults to /etc/openldap/certs/tls.key
.LDAP_TLS_DH_PARAM
LDAP ssl certificate dh param file.LDAP_TLS_ENFORCE=[0|1]
Enforce TLS but except ldapi connections. Defaults to 0
(false).LDAP_TLS_CIPHER_SUITE
TLS cipher suite.LDAP_TLS_VERIFY_CLIENT
TLS verify client. Defaults to demand
.LDAP_NOFILE
Number of open files (ulimt -n), default 1024
LDAP_PORT
Port for ldap:///, defaults to 389
LDAPS_PORT
Port for ldaps:///, defaults to 636
LDAPI_URL
Ldapi url, defaults to ldapi:///run/slapd/ldapi
LDAP_UID
UID of ldap user. All LDAP related files will be changed to this UIDLDAP_GID
GID of ldap group. All LDAP related files will be changed to this GIDLDAP_BACKEND
Database backend, defaults to mdb
SLAPD_LOG_LEVEL
Slapd debug devel, defaults to 0
SETUP_FOR_MAILSERVER
The mail organization will be created (ldif/mailserver/), defaults to 0
/etc/openldap/certs
TLS certificates for slapd/etc/openldap/slapd.d
Slapd configuration files/var/lib/ldap
OpenLDAP database