This is the default behavior when you run this image. It will create an empty ldap for the company Example Inc. and the domain example.org.
Two passwords are required to startup the container:
LDAP_ADMIN_PASSWORD Ldap admin password for cn=admin,dc=example,dc=orgLDAP_CONFIG_PASSWORD Ldap admin password for cn=admin,dc=example,dc=orgThe command to run this container is:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
To test the container a LDAP search could be issued:
podman exec -it openldap ldapsearch -x -W -H ldapi:/// -b dc=example,dc=org -D "cn=admin,dc=example,dc=org"
In all examples, podman can be replaced directly with docker.
The directories /var/lib/ldap (LDAP database files) and
/etc/openldap/slapd.d (LDAP config files) are used to store the schema and
data information. They will be re-created at every container startup if they
are not mapped as volumes, means your ldap files are saved outside the
container. Normally this data should be stored, but for various use-cases it
could be usefull to throw them away afterwards.
If the UID and GID of the ldap user needs to match in the container and in the
host, the LDAP_UID and LDAP_GID environment variables needs to be set
explicitly:
podman run -d --rm --name openldap -p 389:389 -p 636:636 -e LDAP_UID=333 -e LDAP_GID=333 -e LDAP_ADMIN_PASSWORD="admin" -e LDAP_CONFIG_PASSWORD="config" registry.opensuse.org/opensuse/openldap
Since slapd.conf is not used the ldap utils ldapmodify, ldapadd and
ldapdelete are required to adjust the server configuration.
This image can load ldif and schema files at startup from an internal path. This is useful if a continuous integration service mounts automatically the working copy (sources) into a docker service, which has a relation to the ci job.
In order to seed ldif or schema files from internal path you must set the
specific environment variable LDAP_SEED_LDIF_PATH and/or
LDAP_SEED_SCHEMA_PATH. If set this will copy any .ldif or .schema file
into the default seeding directories of this image.
TLS is be default configured and enabled. If no certificate is provided, a
self-signed one is created during container startup for the container
hostname. The container hostname can be set e.g. by
podman run --hostname ldap.example.org ...
You can set your custom certificate at run time, by mounting a volume with the certificates into the container and adjusting the following environment variables:
podman run -v /srv/openldap/certs:/etc/openldap/certs:Z \
-e LDAP_TLS_CRT=/etc/openldap/certs/ldap.crt \
-e LDAP_TLS_KEY=/etc/openldap/certs/ldap.key \
-e LDAP_TLS_CA_CRT=/etc/openldap/certs/ca.crt \
-d registry.opensuse.org/opensuse/openldap:latest
The variables LDAP_TLS_CA_CRT, LDAP_TLS_CRT and LDAP_TLS_KEY are stored
during the first start of the container in the LDAP configuration. Changes to
the variables on further starts will have no affect.
An example with certificates from Let's Encrypt:
podman run -v /etc/letsencrypt:/etc/letsencrypt \
-e LDAP_TLS_CRT=/etc/letsencrypt/live/example.org/cert.pem \
-e LDAP_TLS_KEY=/etc/letsencrypt/live/example.org/privkey.pem \
-e LDAP_TLS_CA_CRT=/etc/letsencrypt/live/example.org/fullchain.pem \
-d registry.opensuse.org/opensuse/openldap:latest
Add --env LDAP_TLS=0 to the run command: podman run -e LDAP_TLS=0 ...
DEBUG=[0|1] Enables "set -x" in the entrypoint scriptTZ Timezone to use in the containerLDAP_DOMAIN Ldap domain. Defaults to example.orgLDAP_BASE_DN Ldap base DN. If empty automatically set from LDAP_DOMAIN value. Defaults to (empty)LDAP_ORGANIZATION Organization name. Defaults to Example Inc.LDAP_ADMIN_PASSWORD Ldap admin password. It's required to supply one if no database exists at startup.LDAP_CONFIG_PASSWORD Ldap config password. It's required to supply one if no database exists at startup.LDAP_BACKEND Database backend, defaults to mdbLDAP_SEED_LDIF_PATH Path with additional ldif files which will be loadedLDAP_SEED_SCHEMA_PATH Path with additional schema which will be loadedLDAP_TLS=[1|0] Enable TLS. Defaults to 1 (true).LDAP_TLS_CA_CRT LDAP ssl CA certificate. Defaults to /etc/openldap/certs/openldap-ca.crt.LDAP_TLS_CA_KEY Private LDAP CA key. Defaults to /etc/openldap/certs/openldap-ca.key.LDAP_TLS_CRT LDAP ssl certificate. Defaults to /etc/openldap/certs/tls.crt.LDAP_TLS_KEY Private LDAP ssl key. Defaults to /etc/openldap/certs/tls.key.LDAP_TLS_DH_PARAM LDAP ssl certificate dh param file.LDAP_TLS_ENFORCE=[0|1] Enforce TLS but except ldapi connections. Defaults to 0 (false).LDAP_TLS_CIPHER_SUITE TLS cipher suite.LDAP_TLS_VERIFY_CLIENT TLS verify client. Defaults to demand.LDAP_NOFILE Number of open files (ulimt -n), default 1024LDAP_PORT Port for ldap:///, defaults to 389LDAPS_PORT Port for ldaps:///, defaults to 636LDAPI_URL Ldapi url, defaults to ldapi:///run/slapd/ldapiLDAP_UID UID of ldap user. All LDAP related files will be changed to this UIDLDAP_GID GID of ldap group. All LDAP related files will be changed to this GIDLDAP_BACKEND Database backend, defaults to mdbSLAPD_LOG_LEVEL Slapd debug devel, defaults to 0SETUP_FOR_MAILSERVER The mail organization will be created (ldif/mailserver/), defaults to 0/etc/openldap/certs TLS certificates for slapd/etc/openldap/slapd.d Slapd configuration files/var/lib/ldap OpenLDAP database