mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-02-22 12:29:39 +01:00
Docker LDAP Role
This Ansible role provides a streamlined implementation of an LDAP server with TLS support. It leverages Docker Compose to deploy a pre-configured OpenLDAP server and phpLDAPadmin for easy management.
🚀 Features
-
Secure LDAP with TLS:
- Automatically configures TLS certificates for secure communication.
- Provides configurable support for LDAPS on port 636.
-
phpLDAPadmin Integration:
- Includes a Dockerized phpLDAPadmin setup for easy user and group management.
-
Healthcheck Support:
- Ensures that the LDAP service is healthy and accessible using
ldapsearch.
- Ensures that the LDAP service is healthy and accessible using
--
Maintanance
Show Config
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config'"
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=*)'"
docker exec -it openldap bash -c "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'cn=config' -s base '(objectClass=olcModuleList)'"
install
MemberOf
# Activate
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: /opt/bitnami/openldap/lib/openldap/memberof.so
EOF
# Verify
ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "cn=module{0},cn=config" olcModuleLoad
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF
Show all Entires
docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'dc=veen,dc=world'";
Delete Groups and Subgroup
To delete the group inclusive all subgroups use:
docker exec --env LDAP_ADMIN_PASSWORD="$LDAP_ADMIN_PASSWORD" -it openldap bash -c "ldapsearch -LLL -o ldif-wrap=no -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" -b 'ou=applications,ou=groups,dc=veen,dc=world' dn | sed -n 's/^dn: //p' | tac | while read -r dn; do echo \"Deleting \$dn\"; ldapdelete -x -D 'cn=administrator,dc=veen,dc=world' -w \"\$LDAP_ADMIN_PASSWORD\" \"\$dn\"; done"
--
🛠️ Technical Details
Services Configured
-
OpenLDAP
- TLS enabled on port 636.
- Configuration driven by environment variables.
-
phpLDAPadmin
- Accessible on port 443.
- Simplifies LDAP management via a web interface.
-
Healthchecks
- Uses
ldapsearchto validate LDAP functionality.
- Uses
Directory Structure
The following directories are mounted in the container:
- LDAP Data:
data:/bitnami/openldapfor persistent data storage.
🔒 Security Recommendations
- Always use strong passwords for
applications.ldap.administrator_password. - Restrict access to phpLDAPadmin by binding it to
127.0.0.1or using a reverse proxy.
📜 References
- Bitnami OpenLDAP
- phpLDAPadmin Documentation
- LDAP Account Manager
- [RBAC](https://www.entrust.com/de/resources/learn/what-is-role-based-access-control#:~:text=Rollenbasierte%20Zugriffskontrolle%20(Role%2Dbased%20Access,eine%20Ressource%20gew%C3%A4hrt%20werden%20soll.)
- RBAC Wikipedia
👨💻 Author
Kevin Veen-Birkenbach - veen.world
Feel free to report issues, suggest features, or contribute to the repository! 😊