├── startup.sh ├── mk-pw.sh ├── ldap-vars.env ├── Dockerfile2 ├── uniq.ldif ├── sssd.conf.sh ├── README.md ├── Dockerfile ├── docker-compose.yml └── test.sh.sh /startup.sh: -------------------------------------------------------------------------------- 1 | # Give the server a chance to come up 2 | sleep 5 3 | 4 | service sssd start 5 | 6 | sleep infinity 7 | -------------------------------------------------------------------------------- /mk-pw.sh: -------------------------------------------------------------------------------- 1 | set -a 2 | source /ldap-vars.env 3 | echo -n ${LDAP_ADMIN_PASSWORD} > /etc/pw-admin.txt 4 | chmod 600 /etc/pw-admin.txt 5 | -------------------------------------------------------------------------------- /ldap-vars.env: -------------------------------------------------------------------------------- 1 | LDAP_ORGANISATION="Jedi Council" 2 | LDAP_HOST=server.jedi.org 3 | LDAP_DOMAIN=jedi.org 4 | LDAP_BASE_DN=dc=jedi,dc=org 5 | LDAP_ADMIN_PASSWORD=RuckSack83 6 | -------------------------------------------------------------------------------- /Dockerfile2: -------------------------------------------------------------------------------- 1 | FROM osixia/openldap:1.5.0 2 | 3 | # By default, ldap does not constrain uidNumber to be unique. This fixes that problem. 4 | ADD uniq.ldif /container/service/slapd/assets/config/bootstrap/ldif/ 5 | -------------------------------------------------------------------------------- /uniq.ldif: -------------------------------------------------------------------------------- 1 | dn: cn=module,cn=config 2 | cn: module 3 | objectclass: olcModuleList 4 | objectclass: top 5 | olcmoduleload: unique 6 | olcmodulepath: /usr/lib/ldap 7 | 8 | dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config 9 | objectClass: olcOverlayConfig 10 | objectClass: olcUniqueConfig 11 | olcOverlay: {0}unique 12 | olcUniqueAttribute: uidNumber 13 | -------------------------------------------------------------------------------- /sssd.conf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -a 3 | source /ldap-vars.env 4 | cat > sssd.conf << EOF 5 | [sssd] 6 | config_file_version = 2 7 | domains = ${LDAP_DOMAIN} 8 | services = nss, pam 9 | 10 | [pam] 11 | 12 | [domain/${LDAP_DOMAIN}] 13 | id_provider = ldap 14 | auth_provider = ldap 15 | ldap_uri = ldap://${LDAP_HOST} 16 | cache_credentials = True 17 | ldap_search_base = ${LDAP_BASE_DN} 18 | ldap_group_search_base = ${LDAP_BASE_DN} 19 | ldap_user_search_base = ${LDAP_BASE_DN} 20 | ldap_default_bind_dn = cn=admin,${LDAP_BASE_DN} 21 | ldap_default_authtok = ${LDAP_ADMIN_PASSWORD} 22 | 23 | [nss] 24 | filter_groups = root 25 | filter_users = root 26 | entry_cache_nowait_percentage = 75 27 | EOF 28 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # workingldap 2 | 3 | This project enables you to instantly configure an ldap server that persists its data and enforces unique uidNumbers. 4 | 5 | To compile, run this: 6 | 7 | ``` 8 | docker-compose build 9 | ``` 10 | 11 | To start the server/client pair, run this: 12 | 13 | ``` 14 | docker-compose down && docker-compose up -d 15 | ``` 16 | 17 | To test whether it's working, login to the client as follows: 18 | 19 | ``` 20 | docker exec -it ldapclient bash 21 | ``` 22 | 23 | Once in, run the following command s: 24 | 25 | ``` 26 | $ cd 27 | $ bash test.sh.sh 28 | $ bash test.sh 29 | ``` 30 | 31 | In the output, you should see that the user 'yoda' was successfully added, while the user 'spock' could not be added because doing so would violate the unique uidNumber constraint. 32 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | RUN apt update 3 | 4 | ARG DEBIAN_FRONTEND=noninteractive 5 | RUN apt install -y ldap-utils vim sssd-ldap libpam-ldapd ca-certificates libnss-ldap libpam-sss 6 | RUN update-ca-certificates - update /etc/ssl/certs and ca-certificates.crt 7 | 8 | COPY ldap-vars.env /ldap-vars.env 9 | RUN mkdir -p /etc/sssd 10 | COPY sssd.conf.sh /etc/sssd/sssd.conf.sh 11 | WORKDIR /etc/sssd 12 | RUN bash ./sssd.conf.sh && rm -f ./sssd.conf.sh && chmod 600 ./sssd.conf 13 | WORKDIR / 14 | RUN chmod 700 /root 15 | 16 | COPY startup.sh /startup.sh 17 | COPY test.sh.sh /root/test.sh.sh 18 | RUN echo services: files sss >> /etc/nsswitch.conf 19 | # RUN echo SELINUX=disabled > /etc/selinux/config 20 | COPY mk-pw.sh /mk-pw.sh 21 | RUN bash /mk-pw.sh && rm -f /mk-pw.sh 22 | RUN chmod 600 /ldap-vars.env 23 | CMD ["bash","/startup.sh"] 24 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | 3 | volumes: 4 | ldap_data: 5 | slapd_data: 6 | 7 | services: 8 | 9 | ldap: 10 | #image: osixia/openldap:1.5.0 11 | build: 12 | context: . 13 | dockerfile: Dockerfile2 14 | image: ldapserverimage 15 | hostname: server.jedi.org 16 | container_name: ldap 17 | 18 | # Persisting these directories will 19 | # persist your ldap database. 20 | volumes: 21 | - ldap_data:/var/lib/ldap 22 | - slapd_data:/etc/ldap/slapd.d 23 | env_file: 24 | - ldap-vars.env 25 | #ports: 26 | # - 389:389 27 | # - 636:636 28 | 29 | ldapclient: 30 | build: 31 | context: . 32 | dockerfile: Dockerfile 33 | image: ldapclientimage 34 | container_name: ldapclient 35 | hostname: client.jedi.org 36 | env_file: 37 | - ldap-vars.env 38 | -------------------------------------------------------------------------------- /test.sh.sh: -------------------------------------------------------------------------------- 1 | cat > test.sh << EOT 2 | cat > yoda.ldif << EOF 3 | # define ldif file with record arrtributes 4 | # file saved with yoda.lfip 5 | dn: uid=yoda,${LDAP_BASE_DN} 6 | uid: yoda 7 | cn: yoda 8 | sn: 3 9 | objectClass: top 10 | objectClass: posixAccount 11 | objectClass: inetOrgPerson 12 | loginShell: /bin/bash 13 | homeDirectory: /home/yoda 14 | uidNumber: 1234 15 | gidNumber: 100 16 | userPassword: ${LDAP_ADMIN_PASSWORD} 17 | mail: yoda@${LDAP_DOMAIN} 18 | gecos: yoda User 19 | EOF 20 | ldapadd -x -H ldap://${LDAP_HOST} -D "cn=admin,${LDAP_BASE_DN}" -f yoda.ldif -y /etc/pw-admin.txt 21 | 22 | cat > spock.ldif << EOF 23 | # define ldif file with record arrtributes 24 | # file saved with spock.lfip 25 | dn: uid=spock,${LDAP_BASE_DN} 26 | uid: spock 27 | cn: spock 28 | sn: 3 29 | objectClass: top 30 | objectClass: posixAccount 31 | objectClass: inetOrgPerson 32 | loginShell: /bin/bash 33 | homeDirectory: /home/spock 34 | uidNumber: 1234 35 | gidNumber: 100 36 | userPassword: sithlord1 37 | mail: spock@${LDAP_DOMAIN} 38 | gecos: spock User 39 | EOF 40 | ldapadd -x -H ldap://${LDAP_HOST} -D "cn=admin,${LDAP_BASE_DN}" -f spock.ldif -y /etc/pw-admin.txt 41 | 42 | ldapsearch -x -H ldap://${LDAP_HOST} -b ${LDAP_BASE_DN} -D "cn=admin,${LDAP_BASE_DN}" -y /etc/pw-admin.txt 43 | id yoda 44 | if [ \$? = 0 ]; then echo "User yoda successfully added!"; fi 45 | id spock 46 | if [ \$? != 0 ]; then echo "User 'spock' correctly failed to be added! (same uidNumber as 'yoda')"; fi 47 | EOT 48 | --------------------------------------------------------------------------------