Page tree

如需转载请标注内容地址为: https://wiki.shileizcc.com/confluence/display/openldap/Docker+OpenLDAP

Skip to end of metadata
Go to start of metadata

Docker OpenLDAP


Docker 启动 OpenLDAP 也是很方便的,只需要把原来的数据导入到数据目录里面即可,OpenLDAP 还是非常复杂的,细心研究。

官方原生方案。

Docker 启动:

$ docker run --volume /data/slapd/database:/var/lib/ldap --volume /data/slapd/config:/etc/ldap/slapd.d --detach osixia/openldap


Docker-compose 官方原版:

docker-compose.yml
version: '2'
services:
  openldap:
    image: osixia/openldap:1.1.7
    container_name: openldap
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "Example Inc."
      LDAP_DOMAIN: "example.org"
      LDAP_BASE_DN: ""
      LDAP_ADMIN_PASSWORD: "admin"
      LDAP_CONFIG_PASSWORD: "config"
      LDAP_READONLY_USER: "false"
      #LDAP_READONLY_USER_USERNAME: "readonly"
      #LDAP_READONLY_USER_PASSWORD: "readonly"
      LDAP_BACKEND: "hdb"
      LDAP_TLS: "true"
      LDAP_TLS_CRT_FILENAME: "ldap.crt"
      LDAP_TLS_KEY_FILENAME: "ldap.key"
      LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
      LDAP_TLS_ENFORCE: "false"
      LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
      LDAP_TLS_PROTOCOL_MIN: "3.1"
      LDAP_TLS_VERIFY_CLIENT: "demand"
      LDAP_REPLICATION: "false"
      #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
      #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
      #LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: "ldap"
    tty: true
    stdin_open: true
    volumes:
      - /var/lib/ldap
      - /etc/ldap/slapd.d
      - /container/service/slapd/assets/certs/
    ports:
      - "389:389"
      - "639:639"
    hostname: "example.org"
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "8080:80"
    depends_on:
      - openldap

账号密码 admin/admin 对应的 UI 端口是 8080,账号 cn=admin,dc=example,dc=org 密码 admin。


默认官方给的方案配置了 TSL ,如果不需要请用:

docker-compose.yml
version: '2'
services:
  openldap:
    image: osixia/openldap:1.1.7
    container_name: openldap
    environment:
      LDAP_LOG_LEVEL: '256'
      LDAP_ORGANISATION: 'Example Inc.'
      LDAP_DOMAIN: 'shileizcc.com'
      LDAP_BASE_DN: "shileizcc.com"
      LDAP_ADMIN_PASSWORD: 'admin'
      LDAP_CONFIG_PASSWORD: 'config'
      LDAP_READONLY_USER: 'false'
      #LDAP_READONLY_USER_USERNAME: 'readonly'
      #LDAP_READONLY_USER_PASSWORD: 'readonly'
      LDAP_BACKEND: 'hdb'
      LDAP_TLS: 'false'
      LDAP_TLS_CRT_FILENAME: 'ldap.crt'
      LDAP_TLS_KEY_FILENAME: 'ldap.key'
      LDAP_TLS_CA_CRT_FILENAME: 'ca.crt'
      LDAP_TLS_ENFORCE: 'false'
      LDAP_TLS_CIPHER_SUITE: 'SECURE256:-VERS-SSL3.0'
      LDAP_TLS_PROTOCOL_MIN: '3.1'
      LDAP_TLS_VERIFY_CLIENT: 'demand'
      LDAP_REPLICATION: 'false'
      LDAP_REPLICATION_CONFIG_SYNCPROV: "'binddn='cn=admin,cn=config' bindmethod=simple credentials=config searchbase='cn=config' type=refreshAndPersist retry='60 +' timeout=1 starttls=critical'"
      LDAP_REPLICATION_DB_SYNCPROV: "'binddn='cn=admin,shileizcc.com' bindmethod=simple credentials=admin searchbase='shileizcc.com' type=refreshAndPersist interval=00:00:00:10 retry='60 +' timeout=1 starttls=critical'"
      LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.shileizcc.com','ldap://ldap2.shileizcc.com']"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: 'true'
      LDAP_SSL_HELPER_PREFIX: 'ldap'
    tty: true
    stdin_open: true
    volumes:
      - /var/lib/ldap
      - /etc/ldap/slapd.d
      - /container/service/slapd/assets/certs/
    ports:
      - '389:389'
      - '639:639'
    hostname: 'example.org'
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: 'openldap'
      PHPLDAPADMIN_HTTPS: 'false'
    ports:
      - '8080:80'
    depends_on:
      - openldap

登入 UI:

登入后可以自行创建 group 和 user 。

创建时安装顺序 Organisational Unit => Posix Group => User Account 创建。

console 查看信息:

$ docker exec 5aecb32ce06d ldapsearch -x -h localhost -b dc=shileizcc,dc=com -D "cn=admin,dc=shileizcc,dc=com" -w admin

  • No labels

3 Comments

  1. 发现个问题 

    docker-compose启动后/container目录下应该有个生成的文件  应该做持久化 

    docker-compose restart \ stop \ up -d   重启、停、起操作能正常运行  但是不能执行docker-compose down  一旦执行down 就再起不来了

    docker-compose down 停止服务后的日志报错如下:

    modifying entry "olcDatabase={0}config,cn=config"
    Processing file /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
    Processing file /container/service/slapd/assets/config/bootstrap/ldif/02-security.ldif
    5fd21a11 conn=1020 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
    5fd21a11 conn=1020 op=0 BIND dn="" method=163
    5fd21a11 conn=1020 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
    5fd21a11 conn=1020 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
    5fd21a11 conn=1020 op=0 RESULT tag=97 err=0 text=
    5fd21a11 conn=1020 op=1 MOD dn="olcDatabase={1}hdb,cn=config"
    5fd21a11 conn=1020 op=1 MOD attr=olcAccess olcAccess
    5fd21a11 conn=1020 op=1 RESULT tag=103 err=32 text=
    5fd21a11 conn=1020 op=2 UNBIND
    5fd21a11 conn=1020 fd=12 closed
    5fd21a11 conn=1021 fd=12 ACCEPT from IP=127.0.0.1:50010 (IP=0.0.0.0:389)
    5fd21a11 conn=1021 op=0 do_bind: invalid dn (cn=admin,mudocli.com)
    5fd21a11 conn=1021 op=0 RESULT tag=97 err=34 text=invalid DN
    5fd21a11 conn=1021 op=1 UNBIND
    5fd21a11 conn=1021 fd=12 closed
    ldap_modify: No such object (32)
    matched DN: cn=config
    modifying entry "olcDatabase={1}hdb,cn=config"

    ldap_bind: Invalid DN syntax (34)
    additional info: invalid DN
    *** /container/run/startup/slapd failed with status 34

    *** Run commands before finish...
    *** Killing all processes...
    5fd21a11 daemon: shutdown requested and initiated.
    5fd21a11 slapd shutdown: waiting for 0 operations/tasks to finish
    5fd21a11 slapd stopped.

    1. 上面的启动方式已经比较老旧,可以通过我维护的 https://github.com/slzcc/openldap 或他们最新的官方文档进行使用。