Skip to content

enh: offer LDAP with TLS and a self-signed cert #836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
blizzz merged 1 commit into from
Oct 9, 2025
Merged

enh: offer LDAP with TLS and a self-signed cert #836

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 21 additions & 8 deletions openldap/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,52 @@
# simplified to our needs to due https://github.com/dinkel/docker-openldap/issues/21
# (Proposed my solution in https://github.com/dinkel/docker-openldap/issues/21#issuecomment-468839994)

FROM debian:buster-slim
FROM debian:trixie-slim

MAINTAINER Arthur Schiwon <blizzz@arthur-schiwon.de>

Check warning on line 7 in openldap/Dockerfile

View workflow job for this annotation

GitHub Actions / Push Docker image openldap:openldap-8 to GitHub Packages

The MAINTAINER instruction is deprecated, use a label instead to define an image author 

MaintainerDeprecated: Maintainer instruction is deprecated in favor of using label
More info: https://docs.docker.com/go/dockerfile/rule/maintainer-deprecated/

ENV OPENLDAP_VERSION 2.4.47
ENV OPENLDAP_VERSION 2.6.10

Check warning on line 9 in openldap/Dockerfile

View workflow job for this annotation

GitHub Actions / Push Docker image openldap:openldap-8 to GitHub Packages

Legacy key/value format with whitespace separator should not be used 

LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format
More info: https://docs.docker.com/go/dockerfile/rule/legacy-key-value-format/

RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
slapd=${OPENLDAP_VERSION}* ldap-utils=${OPENLDAP_VERSION}* libldap-common=${OPENLDAP_VERSION}* && \
slapd=${OPENLDAP_VERSION}* ldap-utils=${OPENLDAP_VERSION}* libldap-common=${OPENLDAP_VERSION}* gnutls-bin && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

RUN mv /etc/ldap /etc/ldap.dist

COPY modules/ /etc/ldap.dist/modules
COPY LDIFs/* /etc/ldap/prepopulate/
COPY certificate/ /tmp/certificate

RUN cp -r /etc/ldap.dist/* /etc/ldap

COPY slapf_config /tmp/slapd_config
RUN debconf-set-selections /tmp/slapd_config \
&& dpkg-reconfigure -f noninteractive slapd \
&& rm /tmp/slapd_config \
&& sed -i "s/^#BASE.*/BASE c=nextcloud,dc=ci/g" /etc/ldap/ldap.conf \
&& slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/memberof.ldif" \
&& chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
&& sed -i "s/^#BASE.*/BASE c=nextcloud,dc=ci/g" /etc/ldap/ldap.conf

RUN slapadd -v -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/memberof.ldif"

# create a self-signed certificate
RUN mkdir /etc/ldap/cert/ \
&& cd /etc/ldap/cert \
&& certtool --generate-privkey --outfile ca.key \
&& certtool --generate-self-signed --load-privkey ca.key --outfile ca.crt \
--template /tmp/certificate/template \
&& chown -R openldap:openldap /etc/ldap/cert \
&& slapmodify -v -n0 -F /etc/ldap/slapd.d -l "/tmp/certificate/config.ldif"

RUN mkdir /var/run/slapd
RUN chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd

COPY entrypoint.sh /entrypoint.sh

EXPOSE 389
EXPOSE 389 636

VOLUME ["/etc/ldap", "/var/lib/ldap"]

ENTRYPOINT ["/entrypoint.sh"]

CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]
CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap", "-h", "ldaps:/// ldap:/// ldapi:///"]
7 changes: 7 additions & 0 deletions openldap/certificate/config.ldif
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert/ca.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/cert/ca.key
4 changes: 4 additions & 0 deletions openldap/certificate/template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
organization = "Nextcloud"
cn = "nextcloud.ci"
serial = 42
expiration_days = 18250
13 changes: 7 additions & 6 deletions openldap/modules/memberof.ldif
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof.la

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
Expand All @@ -20,14 +19,16 @@ olcMemberOfMemberOfAD: memberOf
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectClass: top
olcModulePath: /usr/lib/ldap
olcModuleLoad: refint.la

dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
olcOverlay: refint
olcRefintAttribute: memberof
olcRefintAttribute: member
olcRefintAttribute: manager
olcRefintAttribute: owner
Loading