ldap/README.md

75 lines
2.8 KiB
Markdown
Raw Normal View History

2017-09-09 17:54:45 +02:00
## slapd
Slapd offers a LDAP server, which we mostly use for authentication of various
services.
Therefore, a lot of services have a direct (or indirect) dependency on this
image.
2019-05-15 18:28:41 +02:00
### Getting the image
This image is automatically build and pushed to the docker hub. Therefore
getting the image should be as easy as running
```
docker pull zombi/ldap
```
2017-09-09 17:54:45 +02:00
### Building slapd
2019-05-15 18:28:41 +02:00
It is also possible to manually build this image from this repository.
2017-09-09 17:54:45 +02:00
```
2019-04-18 20:59:51 +02:00
docker build -t zombi/ldap .
2017-09-09 17:54:45 +02:00
```
### Running slapd
2019-04-18 20:59:51 +02:00
Copy over example configuration
```bash
cp docker-compose.yml{.example,}
```
run the service
2017-09-09 17:54:45 +02:00
```
2019-04-18 20:59:51 +02:00
docker-compose up -d
2017-09-09 17:54:45 +02:00
```
2019-05-17 02:24:19 +02:00
#### Custom schema
every .ldif or .sh file will be evaluated on server startup, if it's placed
inside the '/docker-entrypoint-initdb.d/' directory. This allows you to
Specify custom behaviour of the LDAP Server.
By default the server will load the schema from the 'fixtures/' directory,
which will provide this features:
* MDB backend for better performance
* Indexing of most referenced attributes by default
* Base structure with People, Groups, Sevices, Domains and Policies.
* Simple but useful ACL rules, allowing users to change their own passwords.
* Password policy for strong cryptographic hashing of user passwords and password rotation.
* Referential integrity for e.g. group memberships.
* Support for core, cosine, nis, inetorgperson, ppolicy and misc schemas.
* Support for user-definable SSH public keys as attributes.
* enforcing of username and user ID uniqueness.
### Configuration
The LDAP server can be configured for your organization using the environment variables:
* `ROOTPW` password for the administration user that is created by default. Make this hard to guess!
* `ORGANIZATION` Name of the organization running this LDAP server.
* `SUFFIX` overwrites the root node for all entries. By default this will be 'o=organizationname', but for compatibility you might want to set this to 'dc=domain,dc=tld'.
* `DATADIR` is the path to the directory containing the LDAP DATA; by default this is '/var/lib/ldap/'.
* `CONFDIR` points to the path containing the server configuration, by default this is '/etc/ldap/slapd.d'.
2017-09-09 17:54:45 +02:00
### Backing up data
2019-05-15 18:28:41 +02:00
State stored in this container is essential to many other services, that
use authentication and authorization. Therefore you should think about
backing up the LDAP database in regular intervals.
2017-09-09 17:54:45 +02:00
2019-05-15 18:28:41 +02:00
**simply copying all the data from `data` MAY NOT WORK**, as there could
be race conditions leading to database corruption during the backup.
The recommended way is to use the included script for backing up the database
into a compact .ldif plain text file.
2017-09-09 17:54:45 +02:00
2019-05-15 18:28:41 +02:00
running `contrib/create-ldap-backup.sh` will create two files:
2017-09-09 17:54:45 +02:00
* `conf.ldif` is a backup of the configuration.
* `data.ldif` contains all the saved datasets.