Understanding LDAP deployment parameters

This section demonstrates the steps required to implement the PAM and SSSD configuration with Connect:Direct UNIX to authenticate external user accounts through Open LDAP.
  • Updating initparam file: When the LDAP authentication is enabled, the container startup script automatically updates the initparam configuration to support the PAM module. The following line is added to initparam.cfg
  • The following packages are pre-installed in the container image to enable the LDAP support:
    openldap-client, sssd, sssd-ldap, openssl-perl, authselect
  • The following default configuration file (/etc/sssd/sssd.conf) is added to the image. You must provide the values highlighted in bold with the values of environment variables as explained in next section.
    id_provider = ldap
    autofs_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_search_base = LDAP_DOMAIN
    ldap_id_use_start_tls = True
    ldap_tls_cacertdir = /etc/openldap/certs
    ldap_tls_cert = /etc/openldap/certs/LDAP_TLS_CERT_FILE
    ldap_tls_key = /etc/openldap/certs/LDAP_TLS_KEY_FILE
    cache_credentials = True
    ldap_tls_reqcert = allow
  • Provide the following values as environment variables:
    Table 1. LDAP Deployment Parameters
    Environment Variables Description
    LDAP_ENABLE If “TRUE”, LDAP needs to be configured
    LDAP_HOST Mandatory if “LDAP_ENABLE” is true. (IP or Hostname)
    LDAP_PORT Mandatory if “LDAP_ENABLE” is true.
    LDAP_DOMAIN Mandatory if “LDAP_ENABLE” is true. (Top level domain to search)
    LDAP_TLS If “TRUE”, TLS is enabled. “LDAP_PROTOCOL” in config file is set to LDAPS
    LDAP_CACERT Mandatory if “LDAP_TLS” is true. Name of CA certificate
    LDAP_ENABLE_CLNT_VAL If “TRUE”, Client validation is enabled.
    LDAP_CLIENT_CERT Mandatory if “LDAP_ENABLE_CLNT_VAL” is true. Name of client certificate.
    LDAP_CLIENT_KEY Mandatory if “LDAP_ENABLE_CLNT_VAL” is true. Name of client certificate key.
  • Description of the Certificates required for the configuration:
    • Copy certificates to Container Docker Image:
      • Copy the certificates in the cdcert dir, where Secure plus certificate files were copied.
    • DNS Resolution: If the TLS is enabled and hostname of LDAP server is passed in “LDAP_DOMAIN”, then it must be ensured that the hostname is resolved inside the container. It could also be done as below -:
      • --addhosts: Use this option to update the /etc/hosts of the container with the domain and IP of LDAP server.
        Note: It is the responsibility of the administrator to ensure that LDAP server hostname is resolved inside container.
    • Certificates creation and configuration: This external link provides a sample way to generate the certificates:
      • LDAP_CACERT - The root and all the intermediate CA certificates needs to be copied in one file.
      • LDAP_CLIENT_CERT – The client certificate which the server must be able to validate.
      • LDAP_CLIENT_KEY – The client certificate key
  • Sample Environment file:
  • Docker run command:
    docker run --cap-drop=ALL \
    		--cap-add=FOWNER \
    		--cap-add=SETUID \
    		--cap-add=SETGID \
    		--cap-add=DAC_OVERRIDE \
    		--cap-add=CHOWN \
    		--cap-add=IPC_OWNER \
    		--cap-add=IPC_LOCK \
                  --cap-add=SYS_CHROOT \
    		--name=CD_CONTAINER_1 \
    		--hostname=cdhost1 \
                    --env-file=/home/<user>/env_file   \
                    --add-host=<LDAP Server domain>:<LDAP Server IP> \
    		-v /home/<user>/config:/opt/cdfiles \
    		-v /home/<user>/cdunix/cfg:/opt/cdunix/ndm/cfg \
    		-v /home/<user>/cdunix/secure+:/opt/cdunix/ndm/secure+ \
    		-v /home/<user>/cdunix/security:/opt/cdunix/ndm/security \
    		-v /home/<user>/cdunix/work:/opt/cdunix/work \
    		-v /home/<user>/Download:/opt/Download \
    		-p 2363:1363 \
    		-p 2364:1364 \
    		-it -d <image_id>
  • Validation of Successful LDAP configuration: The following commands should be executed inside container and return success for the users not present inside the container but present in the LDAP server:
    id <userid>
    getent passwd <userid>