OpenLDAP Proxy -- Installation and configuration
After understanding what the configuration would be for an OpenLDAP proxy, it's time to explain the installation of OpenLDAP proxy and how to make it run. In this post, we will cover how to install OpenLDAP proxy both locally and using docker.
The installation is quite easy, there are a few packages to be installed including the ldap server, ldap client and some utilities. Below steps are for CentOS, the instructions for other platforms should be similar with minor differences on packages names and package locations.
- Install openldap openldap-clients openldap-servers
yum install openldap openldap-clients openldap-servers
- Create /etc/openldap/slapd.conf if not existing.
- Update /etc/openldap/slapd.conf add LDAP entries (Check the previous post on what the configuration would be)
- Remove the current /etc/openldap/slapd.d/ contents
rm -rf /etc/openldap/slapd.d/*
- Regenerating configs
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
- Change owner of the config directory to ldap. For Ubuntu, it is openldap.
chown -R ldap:ldap /etc/openldap/slapd.d
- Restart slapd service
This should bring up the OpenLDAP proxy with the configurations you want. If you don't want to use the LDIF style of configuration, you can delete the /etc/ldap/slapd.d folder after updating the /etc/ldap/slapd.conf file.
Docker has become a popular method of hosting one single service for a specific purpose. The OpenLDAP proxy fits perfectly in this model. Hence we would also introduce the way of setting up OpenLDAP proxy using Docker and docker-compose. If you are not aware of these utilities, please read some resource online first.
The steps for setting up OpenLDAP proxy are:
- Create a directory named openldap_proxy, you can choose whatever name you want. And go into the openldap_proxy directory.
- Create a Dockerfile and put following contents(This is just a sample)
# Pull base image from authorized source FROM centos:7 # Install the necessary packages for LDAP Proxy server RUN yum install openldap openldap-clients openldap-servers -y # Make necessary directories RUN mkdir -p /root/openldap_proxy && \ mkdir -p /root/openldap_proxy/tmp && \ mkdir -p /root/openldap_proxy/data && \ mkdir -p /root/openldap_proxy/data/certs # Remove unneeded directories RUN rm -rf /etc/openldap/slapd.d # Copy files to container COPY ./start.sh /root/openldap_proxy/start.sh COPY ./slapd.conf /etc/openldap/slapd.conf # Add execution permission RUN chmod 755 /root RUN chmod +x /root/openldap_proxy/start.sh # Entry point ENTRYPOINT ["/root/openldap_proxy/start.sh"]
- Save Dockerfile
- Put the slapd.conf file in the openldap_proxy directory and create a file named start.sh in openldap_proxy
- In start.sh, put below contents
#!/bin/bash TOPDIR=$(dirname $0) cd $TOPDIR && TOPDIR=$PWD # Generate certificates if not existing DESTDIR="$TOPDIR/data/certs" APP_FQDN=$(hostname -f) [[ -d $DESTDIR ]] || mkdir -p $DESTDIR APP_GEN_CERT='openssl req -x509 -nodes -days 365 -newkey rsa:2048' APP_GEN_CERT="$APP_GEN_CERT -keyout $DESTDIR/ldap.key -out $DESTDIR/ldap.crt" APP_GEN_CERT="$APP_GEN_CERT -subj '/CN=$APP_FQDN/OU=TestOU/O=Organization/L=Location/ST=State/C=Country'" APP_GEN_CERT="[[ -f $DESTDIR/ldap.crt ]] || $APP_GEN_CERT" eval $APP_GEN_CERT # Run docker-compose command exec "$@"
- The start.sh is the entry point of the Docker container and it will be copied to the container and run when docker container starts. The script will first generate a certificate which would be used by the proxy if it serves SSL requests and then it handles the execution to the command passed to start.sh which would be the command option in docker-compose.yml to be created later
- Create a docker image named my_openldap_proxy.
docker build -t my_openldap_proxy .
- Next go out one level of the openpldap_proxy directory (cd ../)
- Create a docker-compose.yml file with below contents
my_openldap_proxy: image: my_openldap_proxy:latest container_name: my_openldap_proxy ports: - '389:389' - "636:636" volumes: - shared_data:/root/openldap_proxy/data command: bash -l -c "cd /root/openldap_proxy && /usr/sbin/slapd -h 'ldap:/// ldapi:/// ldaps:///' -g ldap -u ldap -d 2"
- Save it and then run docker-compose up -d command. This command will build the container if it's not existing and start it in detached mode.
Pretty easy installation steps. There would be some other settings if you want to add SSL enabled remote LDAP server in your configuration, we would cover them in a future post. Stay tuned.