An Stunnel proxy server with tcpdump, to monitor network traffic when configured with Google Workspace Secure LDAP.
This container will allow you to add the .crt
/.key
pair generated in your Admin Console (as a zip file, or individual .crt
/.key
files) on the /data
folder in the container, which in turn will pre-configure the Stunnel for Google Workspace Secure LDAP.
Start an stunnel service with tcpdump
in Docker, by running:
with a .zip
file:
docker run -it \
-v $(find /path/to/dir/ -maxdepth 1 -name "Google*.zip"):/data/Google.zip \
-v /path/to/output:/data/out \
-p 1636:1636 \
--name dumpt \
zalgonoise/dumpt:latest
with a .crt
/.key
pair:
docker run -it \
-v $(find /path/to/dir/ -maxdepth 1 -name "Google*.crt"):/data/stunnel.crt \
-v $(find /path/to/dir/ -maxdepth 1 -name "Google*.key"):/data/stunnel.key \
-v /path/to/output:/data/out \
-p 1636:1636 \
--name dumpt \
zalgonoise/dumpt:latest
The tool will generate a .pcap
file that is placed on /data/out
, thus linking this folder as a volume from your machine.
Files will not overwrite, don't worry -- they increment as numbered files
You can then analyze your .pcap
file with other tools, including Wireshark.
The container is using my zalgonoise/alpine
base image to take advantage of the s6-overlay, to create running services.
This way, there is no need to send processes to the background blindly and better monitoring for runtime errors.
Stunnel is configured in /etc/stunnel/stunnel.conf
, by creating a preset configuration file:
cd /etc/stunnel
cat << EOF > stunnel.conf
foreground = yes
setuid = stunnel
setgid = stunnel
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[${SERVICE:-ldap}]
client = ${CLIENT:-yes}
accept = ${ACCEPT:-1636}
connect = ${CONNECT:-ldap.google.com:636}
cert = /data/stunnel.crt
key = /data/stunnel.key
EOF
Your certificate and key are moved to /data/stunnel.*
in conformity to this configuration.
tcpdump
on the other hand is just listening for network activity in this container. Since we are expecting the interactions to be solely between the LDAP client and Google, all network traffic in the machine is worth capturing. Further filtering can be placed in the analyzer tool of choice.
The command ran is the following:
tcpdump -i eth0 -vvv -w ${outfile}