Skip to content

Instantly share code, notes, and snippets.

@enrichman
Last active May 10, 2024 13:46
Show Gist options
  • Save enrichman/f14a1689ae315f83d8d2efe28669ef9e to your computer and use it in GitHub Desktop.
Save enrichman/f14a1689ae315f83d8d2efe28669ef9e to your computer and use it in GitHub Desktop.

Setup LDAP

Download the following Docker Compose configuration (from here, related comment)

docker-compose.yaml
version: '2'
services:
  openldap:
    image: osixia/openldap:1.5.0
    container_name: openldap
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "Example Inc."
      LDAP_DOMAIN: "example.org"
      LDAP_BASE_DN: ""
      LDAP_ADMIN_PASSWORD: "admin"
      LDAP_CONFIG_PASSWORD: "config"
      LDAP_READONLY_USER: "false"
      #LDAP_READONLY_USER_USERNAME: "readonly"
      #LDAP_READONLY_USER_PASSWORD: "readonly"
      LDAP_RFC2307BIS_SCHEMA: "false"
      LDAP_BACKEND: "mdb"
      LDAP_TLS: "true"
      LDAP_TLS_CRT_FILENAME: "ldap.crt"
      LDAP_TLS_KEY_FILENAME: "ldap.key"
      LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
      LDAP_TLS_ENFORCE: "false"
      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
      LDAP_TLS_VERIFY_CLIENT: "demand"
      LDAP_REPLICATION: "false"
      #LDAP_REPLICATION_CONFIG_SYNCPROV: 'binddn="cn=admin,cn=config" bindmethod=simple credentials="$$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_DB_SYNCPROV: 'binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials="$$LDAP_ADMIN_PASSWORD" searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: "ldap"
    tty: true
    stdin_open: true
    volumes:
      - /var/lib/ldap
      - /etc/ldap/slapd.d
      - /container/service/slapd/assets/certs/
    ports:
      - "389:389"
      - "636:636"
    # For replication to work correctly, domainname and hostname must be
    # set correctly so that "hostname"."domainname" equates to the
    # fully-qualified domain name for the host.
    domainname: "example.org"
    hostname: "ldap-server"
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "8083:80"
    depends_on:
      - openldap

And start with:

docker compose -f openldap-compose.yaml up

Access LDAP from: http://localhost:8083/

Note: the port of phpLDAPadmin was changed to 8083 to avoid conflicts with Rancher.

Login into LDAP with the FULL dn:

cn=admin,dc=example,dc=org
admin

Create users

Create a new OU (Organizational Unit) called users in the top hierarchy.

In this OU create a new user with Create a child entry > Default

Container: ou=users,dc=example,dc=org
ObjectClass: inetOrgPerson

then

RDN: cn
cn: enrico
sn: enrico
Password: password

image .. image

Groups (optional)

To create a group create a new OU (Organizational Unit) called groups in the top hierarchy.

In this OU create a new group with Create a child entry > Default

Container: ou=groups,dc=example,dc=org
ObjectClass: groupOfNames

then add the name and a user (or a OU) to it

RDN: cn
cn: dev1
member: cn=enrico,ou=users,dc=example,dc=org

image

Setup Rancher

Add the LDAP provider with these parameters:

Find the LDAP IP with:

docker inspect openldap | jq -r ".[].NetworkSettings.Networks[].IPAddress"
172.20.0.2

Then fill the fields:

Hostname/IP: 172.20.0.2
Service Account Distinguished Name: cn=admin,dc=example,dc=org
Service Account Password: admin
User Search Base: ou=users,dc=example,dc=org

and to Test the authentication you can use the created user:

enrico
password

Groups (optional)

If you want to setup the groups you will need to add these fields:

Groups Search Base: ou=groups,dc=example,dc=org

Debug

To perform manually some queries:

ldapsearch -x -H <hostname> -D <bind_DN (account)> -w <password> -b <search_base> [filters]
docker exec openldap ldapsearch -x -H ldap://localhost \
  -D "cn=admin,dc=example,dc=org" -w admin \
  -b "ou=users,dc=example,dc=org" \
  "(&(objectClass=inetOrgPerson)(uid=enrico))"


docker exec openldap ldapsearch -x -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

More examples: https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment