mwaeckerlin / openldap Goto Github PK

View Code? Open in Web Editor NEW

23.0 3.0 18.0 71 KB

License: GNU General Public License v3.0

Shell 81.94% Dockerfile 18.06%

openldap's Introduction

OpenLDAP Server

Configuration

OpenLDAP server in Ubuntu default configuration. Initial setup is configured though environment variables.

Environment Variables:

DOMAIN (mandatory) Your domain name, e.g. example.org. The distinguish name is created from this domain, e.g. as cn=example,cn=org.
PASSWORD (optional) Administrator password, account is derieved from DOMAIN, e.g. cn=admin,dc=example,dc=org. If not given, a password is generated and written to docker logs.
DEBUG (optional) Specifies the debug level, defaults to 0 (no debug output)
INDEXES (optional) A list of indexes that the LDAP server should maintain, separated by spaces, e.g.: index uid eq index cn eq.

Ports:

389 (LDAP and LDAP+startTLS)
636 (LDAP+SSL)

Volumes:

/var/lib/ldap the database
/ssl mount from let's encrypt configuration /etc/letsencrypt to enable tls and ssl
/etc/ldap config file
/var/backups backups
/var/restore copy one backup file here to start restore on next restart

Example

Start your openLDAP server:

docker run -it --rm --name openldap \
           -p 389:389 \
           -e DEBUG_LEVEL=1 \
           -e DOMAIN=my-company.com \
           -e ORGANIZATION="My Company" \
           -e PASSWORD=1234567890 \
           mwaeckerlin/openldap

Now you can access your LDAP, e.g. through apache directory studio.

To access cn=config, set cn=config as root and use the administrator account for binding, here cn=admin,dc=my-company,dc=com and password 1234567890.

Restore a Backup

You can create backups easily in data.ldif:

slapcat -l data.ldif

To restore the backup file, copy a file named to match *data.ldif in the volume /var/restore, then restart the container.

After successful restore, the file will be moved to volume /var/backups/<date>-restored-data.ldif.

Before every restart, a backup is generated in /var/backups/<date>-startup-data.ldif.

Note to Upgrades after 2018-04-13

The base image has been replaced from ubutnu to alpine. This way, the image size has been reduced from ~500MB to ~15MB. But at the same time, some changes were made, i.e.:

configuration is now in a slapd.conf file
database is no more hdb, but mdb

This means: Your database from previous versions cannot be used anymore. You need to create a backup and restore it after migration.

openldap's People

Contributors

Stargazers

Watchers

Forkers

jensworkgit sknop 7felf tcs-ulli gouthamrt8 khevse smacz42 diklish clonm xelynega avsamit6600 evermind clairton tompscanlan rahazuan tanis2000

openldap's Issues

back_mdb fails to load

Hello @mwaeckerlin,

Since the last image update, the container fails to start from scratch. There is an error when loading the initial LDIF.
I added a -v to line 91 of start.sh, and the problem seems to be:

ldap_1     | + test -e /var/restore/test-data.ldif
ldap_1     | + rm -f '/var/lib/ldap/*'
ldap_1     | + slapadd -v -f /etc/ldap/slapd.conf -l /var/restore/test-data.ldif
ldap_1     | lt_dlopenext failed: (back_mdb.la) file not found
ldap_1     | /etc/ldap/slapd.conf: line 18: <moduleload> handler exited with 1!

Any idea what might be going wrong?

[question] how to set cn=admin to cn=root

hello, I have tried your openldap image. It's really awesome. But I have a question.
I run your images with docker run -itd --name=openldap_ssl -p 389:389 -e DOMAIN='test.com' -e ORGANIZATION='root' -e PASSWORD='qwer1234' mwaeckerlin/openldap
And I use this userDN cn=admin,dc=test,dc=com to link openldap.It works.

My question is how to set cn=admin to cn=root? I want to use this userDN cn=root,dc=test,dc=com by docker run -e

/bin/sh: can't open '/start.sh': Permission denied

I get the following error when running

$ docker run -it --rm --name openldap \
           -p 389:389 \
           -e DEBUG_LEVEL=1 \
           -e DOMAIN=my-company.com \
           -e ORGANIZATION="My Company" \
           -e PASSWORD=1234567890 \
           mwaeckerlin/openldap
/bin/sh: can't open '/start.sh': Permission denied

Seems like the entrypoint script doesn't have +x.
Am I doing something fundamentally incorrect?

The Docker image id is 65787d7ab2b1

I am using Ubuntu 20.04. Docker version:

$ docker version
Client:
 Version:           18.09.9
 API version:       1.39
 Go version:        go1.13.4
 Git commit:        1752eb3
 Built:             Sat Nov 16 01:05:26 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.13.4
  Git commit:       9552f2b
  Built:            Sat Nov 16 01:07:48 2019
  OS/Arch:          linux/amd64
  Experimental:     false

TLS doesn't actually work

Unfortunately TLS does not work. I followed the setup to the letter and I can make a normal non-TLS call:

docker exec $(docker ps | grep openldap | awk '{print $1}') ldapsearch \
-x -H ldap://openldap -b dc=mydomain,dc=com -D \ 
"cn=admin,dc=mydomain,dc=com" -w 1234

Obviously substituting mydomain for the real one

But as soon as you add -ZZ, which tries to enforce TLS:

ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation

and in the logs...

5eaeb1dd conn=1005 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"

I'm really gutted as I just can't find a working openldap with TLS container yet. Is there something I doing wrong or a small thing missing from the docs?

Add ACL

How do I add a new ACL to the LDAP-Server?

I tried to connect to the cn=config tree but Ion get the response "No such Object".
Also I tried to add the ACL to the slapd.conf file but the changes are deleted when I restart the container.

MEMBEROF=1 not working

Hi,

I tried to to set "MEMBEROF=1" but it doesn't work:

openldap_1  | 5af71a77 lt_dlopenext failed: (refint) file not found
openldap_1  | slapcat: bad configuration file!
docker_openldap_1 exited with code 1

Looking at the "slapd.conf" it tries to load the Module "refint"

modulepath  /usr/lib/openldap
moduleload refint

but the Module seems not to exist in the image (started without "MEMBEROF=1"):

root@openldap[991d0fcdaa36]:/# ls -la /usr/lib/openldap
total 216
drwxr-xr-x    2 root     root          4096 Apr 17 10:37 .
drwxr-xr-x    1 root     root          4096 Apr 17 10:37 ..
lrwxrwxrwx    1 root     root            22 Apr 17 10:37 back_mdb-2.4.so.2 -> back_mdb-2.4.so.2.10.8
-rwxr-xr-x    1 root     root        211960 Nov  9  2017 back_mdb-2.4.so.2.10.8
lrwxrwxrwx    1 root     root            22 Apr 17 10:37 back_mdb.so -> back_mdb-2.4.so.2.10.8
root@openldap[991d0fcdaa36]:/#

Allow to specify memory for server

The container doesn't start when launched. I'm doing it with a very basic docker-compose setup with swarm.

The end result before the container dies is:

Assertion failed: 0 (ch_malloc.c: ch_calloc: 107)
Aborted

I've attached the docker-compose and logs below.

Docker-compose

   openldap:
        image: mwaeckerlin/openldap
        hostname: openldap
        ports:
            - 389:389
            - 636:636
        volumes:
            - /volumes/openldap/certs:/ssl/certs
            - /volumes/openldap/data:/etc/ldap
        environment:
            DOMAIN: 'mydomain.com'
            ORGANIZATION: 'mydomain.com'
            PASSWORD: '1234'
            DEBUG_LEVEL: '1'
        deploy:
            placement:
                constraints:
                    - node.hostname==openldap

Container logs

root@traefik:/volumes/glusterfs/openldap# docker logs 4ec51cde4c67 -f
+ date '+%Y%m%d%H%m'
+ DATE=202005031005
+ test -z mydomain.com
+ test -z 1234
+ export 'BASEDN=dc=mydomain,dc=com'
+ slappasswd -h '{SSHA}' -s 1234
+ export 'PASSWD={SSHA}PpbUwjVMzLQOklIzQGxopKJUmyxpNwgK'
+ cat
+ sed -f /tmp/update-config.sed /etc/openldap/slapd.conf
+ echo 
+ sed 's, access to,\
access to,g;s, by,\
\tby,g'
+ rm /tmp/update-config.sed
+ echo 
+ sed 's, index,\
index,g'
+ test  '=' 1
+ echo 'include /etc/openldap/schema/cosine.schema'
+ echo 'include /etc/openldap/schema/inetorgperson.schema'
+ echo 'include /etc/openldap/schema/nis.schema'
+ echo 'include /etc/openldap/schema/samba.schema'
+ test -e /ssl/live/mydomain.com/chain.pem -a -e /ssl/live/mydomain.com/privkey.pem -a -e /ssl/live/mydomain.com/cert.pem
+ test -e /ssl/mydomain.com-ca.crt -a -e /ssl/mydomain.com.key -a -e /ssl/mydomain.com.pem
+ test -e '/var/restore/*data.ldif'
+ ls -A /var/lib/ldap
+ test -n 
+ test -e 
+ test -e 
+ mkdir -p /var/lib/openldap/run
+ chown -R ldap.ldap /var/lib/ldap /etc/ldap /var/lib/openldap
+ chmod 700 /var/lib/ldap
+ /usr/sbin/slapd -u ldap -g ldap -d 1 -h ldap:/// -f /etc/ldap/slapd.conf
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
5eae9d1e @(#) $OpenLDAP: slapd 2.4.48 (Aug 26 2019 08:55:51) $
        openldap
ldap_pvt_gethostbyname_a: host=openldap, r=0
5eae9d1e daemon_init: listen on ldap:///
5eae9d1e daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
5eae9d1e daemon: listener initialized ldap:///
5eae9d1e daemon_init: 2 listeners opened
ldap_create
5eae9d1e slapd init: initiated server.
5eae9d1e slap_sasl_init: initialized!
5eae9d1e mdb_back_initialize: initialize MDB backend
5eae9d1e mdb_back_initialize: LMDB 0.9.24: (July 24, 2019)
5eae9d1e mdb_db_init: Initializing mdb database
5eae9d1e >>> dnPrettyNormal: <dc=mydomain,dc=com>
5eae9d1e <<< dnPrettyNormal: <dc=mydomain,dc=com>, <dc=mydomain,dc=com>
5eae9d1e >>> dnPrettyNormal: <cn=mydomain,dc=mydomain,dc=com>
5eae9d1e <<< dnPrettyNormal: <cn=mydomain,dc=mydomain,dc=com>, <cn=admin,dc=mydomain,dc=com>
5eae9d1e >>> dnNormalize: <cn=Subschema>
5eae9d1e <<< dnNormalize: <cn=subschema>
5eae9d1e matching_rule_use_init
5eae9d1e     1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbMaxReaders $ olcDbMaxSize $ olcDbRtxnSize $ olcDbSearchStack $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sambaPwdLastSet $ sambaPwdCanChange $ sambaPwdMustChange $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaGroupType $ sambaNextUserRid $ sambaNextGroupRid $ sambaNextRid $ sambaAlgorithmicRidBase $ sambaIntegerOption $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange $ sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection ) )
5eae9d1e     1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbMaxReaders $ olcDbMaxSize $ olcDbRtxnSize $ olcDbSearchStack $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sambaPwdLastSet $ sambaPwdCanChange $ sambaPwdMustChange $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaGroupType $ sambaNextUserRid $ sambaNextGroupRid $ sambaNextRid $ sambaAlgorithmicRidBase $ sambaIntegerOption $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange $ sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection ) )
5eae9d1e     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sambaLMPassword $ sambaNTPassword $ sambaAcctFlags $ sambaLogonHours $ sambaHomeDrive $ sambaPasswordHistory $ sambaSID $ sambaPrimaryGroupSID $ sambaSIDList $ sambaStringOption $ sambaTrustFlags $ sambaSecurityIdentifier ) )
5eae9d1e     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sambaLMPassword $ sambaNTPassword $ sambaAcctFlags $ sambaLogonHours $ sambaHomeDrive $ sambaPasswordHistory $ sambaSID $ sambaPrimaryGroupSID $ sambaSIDList $ sambaStringOption $ sambaTrustFlags $ sambaSecurityIdentifier ) )
5eae9d1e     2.5.13.39 (certificateListMatch):     2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) )
5eae9d1e     2.5.13.35 (certificateMatch):     2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
5eae9d1e     2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )
5eae9d1e     2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbMaxReaders $ olcDbMaxSize $ olcDbRtxnSize $ olcDbSearchStack $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sambaPwdLastSet $ sambaPwdCanChange $ sambaPwdMustChange $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaGroupType $ sambaNextUserRid $ sambaNextGroupRid $ sambaNextRid $ sambaAlgorithmicRidBase $ sambaIntegerOption $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange $ sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection ) )
5eae9d1e     2.5.13.28 (generalizedTimeOrderingMatch): matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
5eae9d1e     2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
5eae9d1e     2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
5eae9d1e     2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
5eae9d1e     2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
5eae9d1e     2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )
5eae9d1e     2.5.13.18 (octetStringOrderingMatch): matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ sambaClearTextPassword $ sambaPreviousClearTextPassword ) )
5eae9d1e     2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ sambaClearTextPassword $ sambaPreviousClearTextPassword ) )
5eae9d1e     2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
5eae9d1e     2.5.13.15 (integerOrderingMatch): matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbMaxReaders $ olcDbMaxSize $ olcDbRtxnSize $ olcDbSearchStack $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sambaPwdLastSet $ sambaPwdCanChange $ sambaPwdMustChange $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaGroupType $ sambaNextUserRid $ sambaNextGroupRid $ sambaNextRid $ sambaAlgorithmicRidBase $ sambaIntegerOption $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange $ sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection ) )
5eae9d1e     2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbMaxReaders $ olcDbMaxSize $ olcDbRtxnSize $ olcDbSearchStack $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sambaPwdLastSet $ sambaPwdCanChange $ sambaPwdMustChange $ sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ sambaBadPasswordCount $ sambaBadPasswordTime $ sambaGroupType $ sambaNextUserRid $ sambaNextGroupRid $ sambaNextRid $ sambaAlgorithmicRidBase $ sambaIntegerOption $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange $ sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection ) )
5eae9d1e     2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbNoSync $ sambaBoolOption ) )
5eae9d1e     2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )
5eae9d1e     2.5.13.9 (numericStringOrderingMatch): matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
5eae9d1e     2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
5eae9d1e     2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
5eae9d1e     2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbEnvFlags $ olcDbIndex $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ telephoneNumber $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ homePhone $ personalTitle $ mobile $ pager $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ sambaLogonScript $ sambaProfilePath $ sambaUserWorkstations $ sambaHomePath $ sambaDomainName $ sambaMungedDial $ sambaShareName $ sambaOptionName $ sambaStringListOption $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaTrustForestTrustInfo ) )
5eae9d1e     2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbEnvFlags $ olcDbIndex $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ telephoneNumber $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ homePhone $ personalTitle $ mobile $ pager $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ sambaLogonScript $ sambaProfilePath $ sambaUserWorkstations $ sambaHomePath $ sambaDomainName $ sambaMungedDial $ sambaShareName $ sambaOptionName $ sambaStringListOption $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaTrustForestTrustInfo ) )
5eae9d1e     2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
5eae9d1e     2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbEnvFlags $ olcDbIndex $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ telephoneNumber $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ homePhone $ personalTitle $ mobile $ pager $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ sambaLogonScript $ sambaProfilePath $ sambaUserWorkstations $ sambaHomePath $ sambaDomainName $ sambaMungedDial $ sambaShareName $ sambaOptionName $ sambaStringListOption $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaTrustForestTrustInfo ) )
5eae9d1e     2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbEnvFlags $ olcDbIndex $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ telephoneNumber $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ homePhone $ personalTitle $ mobile $ pager $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName $ sambaLogonScript $ sambaProfilePath $ sambaUserWorkstations $ sambaHomePath $ sambaDomainName $ sambaMungedDial $ sambaShareName $ sambaOptionName $ sambaStringListOption $ sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaTrustForestTrustInfo ) )
5eae9d1e     1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
5eae9d1e     2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
5eae9d1e ch_calloc of 1048576 elems of 704 bytes failed
Assertion failed: 0 (ch_malloc.c: ch_calloc: 107)
Aborted

/cleanup.sh not found

openldap/start.sh

Line 21 in 0b61f14

/cleanup.sh

admin user can't modify the config?

Hello,

I found your LDAP image one of the easier ones to get going with, but I'm stumbling head first into something I'm not sure how to solve. I'm only beginning to understand LDAP, and there are several concepts I haven't fully grasped yet either, so my apologies if this is something simple, but Google has eluded my quest for answers.

My admin user is cn=admin,dc=example,dc=com, with a tested password.
I've managed to import our users from the Synology LDAP's export LDIF (exported using Apache Directory Studio), and have them setup neatly in groups.

I noticed I couldn't enable the memberOf attributes on the users because the attribute is missing in the schema. Reading up a bit, I found this explanation of how to enable the memberOf attribute: https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/

However I get an error when I try to execute the following LDIF to enable the module:

cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

The error is as follows:

root@docker[0dc04192136f]:~# ldapadd -x -w `cat password` -h localhost -D cn=admin,dc=example,dc=com -a
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

adding new entry "cn=module,cn=config"
ldap_add: Insufficient access (50)

Notice I ran this from within the container, so perhaps I'm missing something crucial in the documentation about how to modify the existing schema?

Any help is much appreciated to resolve this issue.

How to modify or add in cn=config

Greetings,

I tried "ldapadd -c -Y external -H ldapi:/// -f memberOfmodule.ldif " on the docker container but I get "ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)" error .

I also tried to us admin as recommend "To access cn=config, set cn=config as root and use the administrator account for binding, here cn=admin,dc=my-company,dc=com and password 1234567890." with rootpw but get the Insufficient access error

root@openldap[x]:/# ldapadd -W -D "cn=admin,dc=niaidceirs,dc=org" -f memberOfmodule.ldif
Enter LDAP Password:
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)

root@openldap[x]:/# cat memberOfmodule.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la

Your help is really appreciated.

Thanks
Indresh

undocumented ENV vars

Hi,

I've just tried to pull your image from docker hub and noticed a lot of different undocumented variables like:
ALLOW_USER=chown -R sombody:somebody
USER=ldap
RUN_USER=somebody
RUN_HOME=/home/somebody
RUN_GROUP=somebody
WWWUSER=nginx

I'm really confused, if I can delete them or if I should set them?

EDIT: I'm using cloudjiffy.co as docker hoster, maybe they're running a configuration, which conflicts with your image?

Unable to start container

Unable to start container with the given example.

$ docker run -it --rm --name openldap \
           -p 389:389 \
           -e DEBUG_LEVEL=1 \
           -e DOMAIN=my-company.com \
           -e ORGANIZATION="My Company" \
           -e PASSWORD=1234567890 \
           mwaeckerlin/openldap

Configuration ...
==================== restore or backup ====================
  --> restoring configuration ... /etc/ldap /var/lib/ldap debian-script done.
==================== startbg ====================
  --> starting openldap in background ... done.
==================== setConfigPWD ====================
  --> set cn=config password ... SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: No such object (32)
	matched DN: cn=config

$ docker version
Client:
 Version:	17.12.0-ce
 API version:	1.35
 Go version:	go1.9.2
 Git commit:	c97c6d6
 Built:	Wed Dec 27 20:10:36 2017
 OS/Arch:	linux/amd64

Server:
 Engine:
  Version:	17.12.0-ce
  API version:	1.35 (minimum version 1.12)
  Go version:	go1.9.2
  Git commit:	c97c6d6
  Built:	Wed Dec 27 20:09:12 2017
  OS/Arch:	linux/amd64
  Experimental:	false

init ldif runs before ldap server is initialized

Expected Results

Initial ldapmodify command on init script runs after the ldap server is started up.

Actual results

The init script is run before the container fully initializes. I got the following logs when setting up the container:

Jul 13 05:24:09: + runInitScript                                                                                                                                                                                                       [43/51]
Jul 13 05:24:09: + echo 'wait server for initializing'                                                                                                                                                                                        
Jul 13 05:24:09: wait server for initializing                                                                                                                                                                                                 
Jul 13 05:24:09: + exit_code=1                                                                                                                                                                                                                
Jul 13 05:24:09: + '[' 1 -ne 0 ]                                                                                                                                                                                                              
Jul 13 05:24:09: + ldapurl                                                                                                                                                                                                                    
Jul 13 05:24:09: ldap://:389                                                                                                                                                                                                                  
Jul 13 05:24:09: + exit_code=0                                                                                                                                                                                                                
Jul 13 05:24:09: + sleep 1                                                                                                                                                                                                                    
Jul 13 05:24:09: + chmod 700 /var/lib/ldap                                                                                                                                                                                                    
Jul 13 05:24:09: + /usr/sbin/slapd -u ldap -g ldap -d 1 -h ldap:/// -f /etc/ldap/slapd.conf                                                                                                                                                   
Jul 13 05:24:09: ldap_url_parse_ext(ldap://localhost/)                                                                                                                                                                                        
Jul 13 05:24:09: ldap_init: trying /etc/openldap/ldap.conf                                                                                                                                                                                    
Jul 13 05:24:09: ldap_init: using /etc/openldap/ldap.conf                                                                                                                                                                                     
Jul 13 05:24:09: ldap_init: HOME env is /root                                                                                                                                                                                                 
Jul 13 05:24:09: ldap_init: trying /root/ldaprc                                                                                                                                                                                               
Jul 13 05:24:09: ldap_init: trying /root/.ldaprc                                                                                                                                                                                              
Jul 13 05:24:09: ldap_init: trying ldaprc                                                                                                                                                                                                     
Jul 13 05:24:09: ldap_init: LDAPCONF env is NULL                                                                                                                                                                                              
Jul 13 05:24:09: ldap_init: LDAPRC env is NULL                                                                                                                                                                                                
Jul 13 05:24:09: 5d296af9 @(#) $OpenLDAP: slapd 2.4.47 (Dec 28 2018 17:00:39) $                                                                                                                                                               
Jul 13 05:24:09:         buildozer@build-3-9-x86_64:/home/buildozer/aports/main/openldap/src/openldap-2.4.47/servers/slapd                                                                                                                    
Jul 13 05:24:09: ldap_pvt_gethostbyname_a: host=28755c1e39d3, r=0                                                                                                                                                                             
Jul 13 05:24:09: 5d296af9 daemon_init: listen on ldap:///                                                                                                                                                                                     
Jul 13 05:24:09: 5d296af9 daemon_init: 1 listeners to open...                                                                                                                                                                                 
Jul 13 05:24:09: ldap_url_parse_ext(ldap:///)                                                                                                                                                                                                 
Jul 13 05:24:09: 5d296af9 daemon: listener initialized ldap:///                                                                                                                                                                               
Jul 13 05:24:09: 5d296af9 daemon_init: 2 listeners opened                                                                                                                                                                                     
Jul 13 05:24:09: ldap_create                                                                                                                                                                                                                  
Jul 13 05:24:09: 5d296af9 slapd init: initiated server.                                                                                                                                                                                       
Jul 13 05:24:09: 5d296af9 slap_sasl_init: initialized!                                                                                                                                                                                        
Jul 13 05:24:09: 5d296af9 mdb_back_initialize: initialize MDB backend                                                                                                                                                                         
Jul 13 05:24:09: 5d296af9 mdb_back_initialize: LMDB 0.9.23: (December 19, 2018)                                                                                                                                                               
Jul 13 05:24:09: 5d296af9 mdb_db_init: Initializing mdb database                                                                                                                                                                              
Jul 13 05:24:09: 5d296af9 >>> dnPrettyNormal: <dc=debug,dc=hobbithole,dc=blue>                                                                                                                                                                
Jul 13 05:24:09: 5d296af9 <<< dnPrettyNormal: <dc=debug,dc=hobbithole,dc=blue>, <dc=debug,dc=hobbithole,dc=blue>                                                                                                                              
Jul 13 05:24:09: 5d296af9 >>> dnPrettyNormal: <cn=admin,dc=debug,dc=hobbithole,dc=blue>                                                                                                                                                       
Jul 13 05:24:09: 5d296af9 <<< dnPrettyNormal: <cn=admin,dc=debug,dc=hobbithole,dc=blue>, <cn=admin,dc=debug,dc=hobbithole,dc=blue>                                                 
Jul 13 05:24:09: 5d296af9 >>> dnNormalize: <>                                                                                                                                                                                                 
Jul 13 05:24:09: 5d296af9 <<< dnNormalize: <>                                                                                                                                                                                                 
Jul 13 05:24:09: 5d296af9 >>> dnNormalize: <cn=Subschema>                                                                                                                                                                                     
Jul 13 05:24:09: 5d296af9 <<< dnNormalize: <cn=subschema>                                                                                                                                                                                     
Jul 13 05:24:09: 5d296af9 >>> dnNormalize: <cn=Subschema>                                                                                                                                                                                     
Jul 13 05:24:09: 5d296af9 <<< dnNormalize: <cn=subschema>                                                                                                                                                                                     
Jul 13 05:24:09: 5d296af9 matching_rule_use_init                                                                                                                                                                                              
Jul 13 05:24:09: 5d296af9     1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNum
Jul 13 05:24:09: 5d296af9     1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidN
Jul 13 05:24:09: 5d296af9     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ c $ mail $ dc $ as
Jul 13 05:24:09: 5d296af9     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ c $ mail $ dc $ asso
Jul 13 05:24:09: 5d296af9     2.5.13.39 (certificateListMatch):     2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRev
Jul 13 05:24:09: 5d296af9     2.5.13.35 (certificateMatch):     2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACert
Jul 13 05:24:09: 5d296af9     2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedEx                                              
Jul 13 05:24:09: 5d296af9     2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gi
Jul 13 05:24:09: 5d296af9     2.5.13.28 (generalizedTimeOrderingMatch): matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
Jul 13 05:24:09: 5d296af9     2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
Jul 13 05:24:09: 5d296af9     2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
Jul 13 05:24:09: 5d296af9     2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
Jul 13 05:24:09: 5d296af9     2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
Jul 13 05:24:09: 5d296af9     2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )
Jul 13 05:24:09: 5d296af9     2.5.13.18 (octetStringOrderingMatch): matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ sambaClearTextPassword $ sambaPreviou
Jul 13 05:24:09: 5d296af9     2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ sambaClearTextPassword $ sambaPreviousClearTextPasswo
Jul 13 05:24:09: 5d296af9     2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
Jul 13 05:24:09: 5d296af9     2.5.13.15 (integerOrderingMatch): matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ ol
Jul 13 05:24:09: 5d296af9     2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ o
Jul 13 05:24:09: 5d296af9     2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $
Jul 13 05:24:09: 5d296af9     2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )
Jul 13 05:24:09: 5d296af9     2.5.13.9 (numericStringOrderingMatch): matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Jul 13 05:24:09: 5d296af9     2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Jul 13 05:24:09: 5d296af9     2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndica
Jul 13 05:24:09: 5d296af9     2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref
Jul 13 05:24:09: 5d296af9     2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ u
Jul 13 05:24:09: 5d296af9     2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndi
Jul 13 05:24:09: 5d296af9     2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ r
Jul 13 05:24:09: 5d296af9     2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $
Jul 13 05:24:09: 5d296af9     1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modi
Jul 13 05:24:09: 5d296af9     2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ 
Jul 13 05:24:10: run initialization script
Jul 13 05:24:10: + '[' 0 -ne 0 ]
Jul 13 05:24:10: + echo 'run initialization script'
Jul 13 05:24:10: + ldapmodify -a -c -D 'cn=admin,dc=debug,dc=hobbithole,dc=blue' -w testpassword -f /var/init/init.ldif 
Jul 13 05:24:10: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Jul 13 05:24:12e="2019-07-13T05:24:12.129322409Z" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Jul 13 05:24:12: 5d296afc slapd startup: initiated.
Jul 13 05:24:12: 5d296afc backend_startup_one: starting "cn=config"
Jul 13 05:24:12: 5d296afc config_back_db_open
Jul 13 05:24:12: 5d296afc config_build_entry: "cn=config"
Jul 13 05:24:12: 5d296afc config_build_entry: "cn=module{0}"
Jul 13 05:24:12: 5d296afc config_build_entry: "cn=schema"
Jul 13 05:24:12: 5d296afc >>> dnNormalize: <cn={0}core>
Jul 13 05:24:12: 5d296afc <<< dnNormalize: <cn={0}core>
Jul 13 05:24:12: 5d296afc config_build_entry: "cn={0}core"
Jul 13 05:24:12: 5d296afc >>> dnNormalize: <cn={1}cosine>
Jul 13 05:24:12: 5d296afc <<< dnNormalize: <cn={1}cosine>
Jul 13 05:24:12: 5d296afc config_build_entry: "cn={1}cosine"
Jul 13 05:24:12: 5d296afc >>> dnNormalize: <cn={2}inetorgperson>
Jul 13 05:24:12: 5d296afc <<< dnNormalize: <cn={2}inetorgperson>
Jul 13 05:24:12: 5d296afc config_build_entry: "cn={2}inetorgperson"
Jul 13 05:24:12: 5d296afc >>> dnNormalize: <cn={3}nis>
Jul 13 05:24:12: 5d296afc <<< dnNormalize: <cn={3}nis>
Jul 13 05:24:12: 5d296afc config_build_entry: "cn={3}nis"
Jul 13 05:24:12: 5d296afc >>> dnNormalize: <cn={4}samba>
Jul 13 05:24:12: 5d296afc <<< dnNormalize: <cn={4}samba>

After logging into the container and running init script with an ldapmodify command (30-60 seconds) works just fine:

root@openldap[28755c1e39d3]:/# ldapmodify -a -c -D 'cn=admin,dc=debug,dc=hobbithole,dc=blue' -w testpassword -f /var/init/init.ldif
adding new entry "dc=debug,dc=hobbithole,dc=blue "

adding new entry "ou=people,dc=debug,dc=hobbithole,dc=blue "

adding new entry "ou=group,dc=debug,dc=hobbithole,dc=blue "

adding new entry "uid=ldapcherry_default,ou=people,dc=debug,dc=hobbithole,dc=blue "

/PASSWORD setting in start.sh

hey @mwaeckerlin ! I am new to LDAP so please excuse my missing knowledge in advance.

I'm helping to set up a server for Singularity Registry ( we have a lot of LDAP users!) and I was able to start the image, but when I issue any command to the ldap executables, I can't seem to authenticate (even with -x). I looked back in the start up log and I see this:

starting slapd ...
/start.sh: line 134: /PASSWORD: No such file or directory
Administrator Password:

Should this be something that is parsed from the environment variable? Or some other source? It would be fantastic to have a working example to play around with. Here is the message that I keep getting, regardless of the executable that I use:

root@docker[72b21bd3c290]:/# ldapadd 
SASL/DIGEST-MD5 authentication started
Please enter your authentication name: admin
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database

and here is our work in progress if you are interested. Thanks in advance!

Cannot add indexes

I'm running into this issue when having a user change their own password:

5d16e3d2 <= mdb_equality_candidates: (uid) not indexed

Which seems to indicate that the uid (which is the objectclass that it's searching for) is not indexed. Sure enough, when I look in the slapd.conf file, the only index is for objectClass.

Would there be a way to specify indexes to add? I would imaging it could be something like how ACLs are implemented (see #6 (comment))

use TLS/SSL with just one certificate chain and one key

For using SSL I dumped my certificates out of an acme.json (from let'sEncrypt over traefik) with https://github.com/ldez/traefik-certs-dumper.
After the dump I have just one certificate chain file and one key file in my folder.
The certificate chain contains the certificate and the ca-certificate. So I have in theory everything that is needed for TLS/SSL. But the container needs three files. One key, one file for certificate and one separate file for ca-certificate.
Is there a way to use TLS/SSL even if I just have two files?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble