Docker image for OpenLDAP support
The ibmcom/verify-access-openldap image extends the osixia/openldap Docker image by adding the ISAM "secAuthority=Default" schema and suffix to the registry. This image can be used to quickly build a user registry for use with ISAM.
Instructions on the use of the osixia/openldap Docker image can be found at: https://github.com/osixia/docker-openldap.
Points to note
Some additional points to note about the extensions to the osixia/openldap Docker image include:
- The secAuthority=Default suffix is stored in the "/var/lib/ldap.secAuthority" directory and so this should be added to the list of volumes of the osixia/openldap container.
- Use the osixia/openldap-backup Docker container to back-up the user registry is not supported.
- The secAuthority=Default suffix will contain the "cn=root,secAuthority=Default" administrative user. The password for the user will be set to the same value as the admin user of the osixia/penldap container (controlled by the LDAP_ADMIN_PASSWORD variable).
- The user suffix is automatically determined from the LDAP_DOMAIN entry, where each element in the domain name is preceded by "dc". For example, if the LDAP_DOMAIN is set to ibm.com, the corresponding suffix will be "dc=ibm,dc=com".
- The default value of the LDAP_TLS_VERIFY_CLIENT environment variable has been changed from 'required' to 'never'.
- By default, the LDAP server will only listen on the LDAPS secure port (636) and will not listen on the LDAP unsecure port (389).
Additional environment variables
In addition to the standard osixia/openldap environment variables, the ibmcom/verify-access-openldap Docker image defines the following environment variables:
| Name | Description |
|---|---|
| LDAP_ENABLE_PORT_389 | By default, the OpenLDAP server will only listen on the secure 636 port. If we want the OpenLDAP server to also listen on the unsecure389 port, this environment variable must be set to the value 'true'. |
Usage
Quick start
To start a container with the defaults, execute the command:
docker run --name isva-openldap --detach ibmcom/verify-access-openldap:latest
However, a more complete command, which would specify the volumes, ports and standard environment variables, could be:
docker run --hostname isva.openldap --name isva.openldap \ --detach \ --publish 636:636 \ --volume /var/lib/ldap \ --volume /etc/ldap/slapd.d \ --volume /var/lib/ldap.secAuthority \ --env LDAP_DOMAIN=ibm.com \ --env LDAP_ADMIN_PASSWORD=passw0rd \ --env LDAP_CONFIG_PASSWORD=passw0rd \ ibmcom/verify-access-openldap:latest
TLS
By default, the image will automatically generate a TLS certificate when the container is first started. The CN for the certificate is obtained from the container hostname.
To provide our own certificates, they should be made available to the container at initialization within the /container/service/slapd/assets/certs directory. The following files reside within this directory:
| Filename | Description |
|---|---|
| ldap.cert | The server certificate to be used. |
| ldap.key | Private key for the server certificate. |
| ca.crt | Certificate for the trusted certificate authority, used to validate certificates that are presented to the LDAP server (aka mutual authentication). |
To create our own self-signed server certificate, we can do so using OpenSSL. For example:
openssl req -x509 -newkey rsa:4096 -keyout ldap.key -out ldap.cert \ -days 365 -nodes \ -subj "/C=AU/ST=Queensland/L=Gold Coast/O=IBM/CN=isva-openldap"
License
The Dockerfile and associated scripts are licensed under the Apache License 2.0 license.
Supported Docker versions
- This image is officially supported on Docker version v17 and later.
- Support for older versions is provided on a best-effort basis.
Community support
If we are a licensed IBM customer, we can request support through the official IBM support channel. However, IBM does not provide support for the official osixia/openldap Docker image.
Community support is also available for this image via the DeveloperWorks communities. Both DeveloperWorks Answers and the DeveloperWorks IBM Security Identity and Access Management Forum are vibrant communities.
Supported tags
| Tag | Purpose |
|---|---|
| latest | The latest stable version. |
| V.R.M.F | A particular release, of the format: {version}.{release}.{modfication}.{fixpack}. For example, 10.0.0.0 |
Parent topic: Docker support
Related information
