OpenLDAP Server based on devopsansiblede/baseimage. Supports data loading via volume mount as well as SSL based LDAP (ldaps).

For the usage of LEGO DNS challenge, you'll have to use the environmental variables needed for your DNS provider. You can find that configuration within LEGO documentation.

This Docker image only supports DNS challenge, since ports 443 / 80 won't be exposed / published / used. We highly recommend to stay with DNS challenge.

Those variables are not recommended to be changed. They are only used while building / testing the docker image.

By using the different types of environmental variables within the image build and usage process, we assure them being available in relevant contexts.
Docker uses build arguments (type ARG) for environmental variables only available during the build process of an image. ENV type variables are available in both contexts, during the build and when running a container from the image.

We built in LEGO to ease certificate management for your LDAP service.

While developing, we got into some thinking about what best practices we should suggest. There are a few.

• First, our main convention is that devopsansiblede/ldap image will only support DNS challenge for certificates. HTTP/S challenges won't be supported. Yes, that's a convention and not a recommendation – so you need to follow this one mandatorily.
  If you need to use HTTP/S challenge or want to use another certificate generation tool (like ACME requests managed by Træfik and the usage of devopsansiblede/acme_certs_extract Docker image to extract and copy the certificate files), you could add a listener on the docker host that will stop the services within the devopsansiblede/ldap container by executing _termSlapd command. That will cause a slapd restart within the set period of RUNNING_CHECK seconds.
• We recommend you to use wildcard fqdns for requested LEGO_CERT_DOMAIN, e.g. *.auth.example.com where your ldap could be ldap-master.auth.example.com.
  That is for all certificates being listed in Certificate Search service and anybody could retrieve FQDNs from there at no effort.

Start a new openldap server instance, import config & data.ldif's from another instance and persist the state in ./data:

docker run -d \
           -p 389:127.0.0.1:389 -p 636:636 \
           -v $( pwd )/data/database:/var/lib/ldap \
           -v $( pwd )/data/config:/etc/ldap/slapd.d \
           -v $( pwd )/import:/import \
           --name ldap \
       devopsansiblede/ldap:latest

We strongly recommend you not to publish the insecure port 389 – just don't use it when you can avoid. When you need to use it, please secure the connection in another way like building up a SSH tunnel, e.g. by the command ssh -L 389:172.17.0.3:389 ssh.host.example.com where you bind your local port 389 to the remote port 389 of the Docker container with the IP 172.17.0.3 running on your remote server ssh.host.example.com.

• /etc/ldap/slap.d - Config database
• /var/lib/ldap - Data database
• /lego – The location where LEGO data lives, as your account for Let's Encrypt certificate creation, certificates, etc.

• /certs - location for custom CA certificates that should be trusted
• /etc/ssl/certificates – the location where (by default) custom TLS certificates will be searched for
• /import/config.ldif - Text file containing the exported config tree (${IMPORT_DIR}${IMPORT_CONFIG_FILE})
• /import/data.ldif - Text file containing the exported data tree (${IMPORT_DIR}${IMPORT_DATA_FILE})
• /etc/defaults/slapd - Slapd startup configuration

2024-05-12 23:57:03