Understanding LDAP deployment parameters
This section demonstrates the steps required to implement the PAM and SSSD configuration with
Connect:Direct UNIX to authenticate external user accounts through Open LDAP.
- Updating initparam file: When the LDAP authentication is enabled, the container startup script
automatically updates the initparam configuration to support the PAM module. The following line is
added to initparam.cfg
ndm.pam:service=login
- The following packages are pre-installed in the container image to enable the LDAP
support:
openldap-client, sssd, sssd-ldap, openssl-perl, authselect
- The following default configuration file (/etc/sssd/sssd.conf) is added to
the image. You must provide the values highlighted in bold with the values of environment variables
as explained in next
section.
[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = LDAP_PROTOCOL://LDAP_HOST:LDAP_PORT ldap_search_base = LDAP_DOMAIN ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_cert = /etc/openldap/certs/LDAP_TLS_CERT_FILE ldap_tls_key = /etc/openldap/certs/LDAP_TLS_KEY_FILE cache_credentials = True ldap_tls_reqcert = allow
- Provide the following values as environment variables:
Table 1. LDAP Deployment Parameters Environment Variables Description LDAP_ENABLE If “TRUE”, LDAP needs to be configured LDAP_HOST Mandatory if “LDAP_ENABLE” is true. (IP or Hostname) LDAP_PORT Mandatory if “LDAP_ENABLE” is true. LDAP_DOMAIN Mandatory if “LDAP_ENABLE” is true. (Top level domain to search) LDAP_TLS If “TRUE”, TLS is enabled. “LDAP_PROTOCOL” in config file is set to LDAPS LDAP_CACERT Mandatory if “LDAP_TLS” is true. Name of CA certificate LDAP_ENABLE_CLNT_VAL If “TRUE”, Client validation is enabled. LDAP_CLIENT_CERT Mandatory if “LDAP_ENABLE_CLNT_VAL” is true. Name of client certificate. LDAP_CLIENT_KEY Mandatory if “LDAP_ENABLE_CLNT_VAL” is true. Name of client certificate key. - Description of the Certificates required for the configuration:
- Copy certificates to Container Docker Image:
- Copy the certificates in the
cdcert dir
, where Secure plus certificate files were copied.
- Copy the certificates in the
- DNS Resolution: If the TLS is enabled and hostname of LDAP server is passed in
“LDAP_DOMAIN”, then it must be ensured that the hostname is resolved inside the container. It could
also be done as below -:
- --addhosts: Use this option to update the /etc/hosts of the container with
the domain and IP of LDAP server.Note: It is the responsibility of the administrator to ensure that LDAP server hostname is resolved inside container.
- --addhosts: Use this option to update the /etc/hosts of the container with
the domain and IP of LDAP server.
- Certificates creation and configuration: This external link provides a sample way to generate the certificates:
- LDAP_CACERT - The root and all the intermediate CA certificates needs to be copied in one file.
- LDAP_CLIENT_CERT – The client certificate which the server must be able to validate.
- LDAP_CLIENT_KEY – The client certificate key
- Copy certificates to Container Docker Image:
- Sample Environment
file:
LDAP_ENABLE=True LDAP_HOST=cddock-01 LDAP_PORT=636 LDAP_DOMAIN=dc=my-domain,dc=com LDAP_TLS=True LDAP_CACERT=cddockca.pem LDAP_ENABLE_CLNT_VAL=True LDAP_CLIENT_CERT=cddock01.pem LDAP_CLIENT_KEY=cddock01.key
- Docker run
command:
docker run --cap-drop=ALL \ --cap-add=FOWNER \ --cap-add=SETUID \ --cap-add=SETGID \ --cap-add=DAC_OVERRIDE \ --cap-add=CHOWN \ --cap-add=IPC_OWNER \ --cap-add=IPC_LOCK \ --cap-add=SYS_CHROOT \ --name=CD_CONTAINER_1 \ --hostname=cdhost1 \ --env-file=/home/<user>/env_file \ --add-host=<LDAP Server domain>:<LDAP Server IP> \ -v /home/<user>/config:/opt/cdfiles \ -v /home/<user>/cdunix/cfg:/opt/cdunix/ndm/cfg \ -v /home/<user>/cdunix/secure+:/opt/cdunix/ndm/secure+ \ -v /home/<user>/cdunix/security:/opt/cdunix/ndm/security \ -v /home/<user>/cdunix/work:/opt/cdunix/work \ -v /home/<user>/Download:/opt/Download \ -p 2363:1363 \ -p 2364:1364 \ -it -d <image_id>
- Validation of Successful LDAP configuration: The following commands should be executed
inside container and return success for the users not present inside the container but present in
the LDAP server:
id <userid>
getent passwd <userid>