Docker image for OpenLDAP support

The ibmcom/isam-openldap image extends the osixia/openldap Docker image by adding the Security Access Manager "secAuthority=Default" schema and suffix to the registry. This image can be used to quickly build a user registry for use with Security Access Manager.

Instructions on the use of the osixia/openldap Docker image can be found at: https://github.com/osixia/docker-openldap.

Points to note

Some additional points to note about the extensions to the osixia/openldap Docker image include:

  • The secAuthority=Default suffix is stored in the "/var/lib/ldap.secAuthority" directory and so this should be added to the list of volumes of the osixia/openldap container.
  • Using the osixia/openldap-backup Docker container to back-up the user registry is not supported.
  • The secAuthority=Default suffix will contain the "cn=root,secAuthority=Default" administrative user. The password for the user will be set to the same value as the admin user of the osixia/penldap container (controlled by the LDAP_ADMIN_PASSWORD variable).
  • The user suffix is automatically determined from the LDAP_DOMAIN entry, where each element in the domain name is preceded by "dc". For example, if the LDAP_DOMAIN is set to ibm.com, the corresponding suffix will be "dc=ibm,dc=com".
  • The default value of the LDAP_TLS_VERIFY_CLIENT environment variable has been changed from 'required' to 'never'.
  • By default, the LDAP server will only listen on the LDAPS secure port (636) and will not listen on the LDAP unsecure port (389).

Additional environment variables

In addition to the standard osixia/openldap environment variables, the ibmcom/isam-openldap Docker image defines the following environment variables:

Table 1. Additional environment variables of the ibmcom/isam-openldap image
Name Description
LDAP_ENABLE_PORT_389 By default, the OpenLDAP server will only listen on the secure 636 port. If you want the OpenLDAP server to also listen on the unsecure389 port, this environment variable must be set to the value 'true'.

Usage

Quick start

To start a container with the defaults, execute the command:

docker run --name isam-openldap --detach ibmcom/isam-openldap:latest

However, a more complete command, which would specify the volumes, ports and standard environment variables, could be:

docker run --hostname isam.openldap --name isam.openldap \
--detach \
--publish 636:636 \
--volume /var/lib/ldap \
--volume /etc/ldap/slapd.d \
--volume /var/lib/ldap.secAuthority \
--env LDAP_DOMAIN=ibm.com \
--env LDAP_ADMIN_PASSWORD=passw0rd \
--env LDAP_CONFIG_PASSWORD=passw0rd \
ibmcom/isam-openldap:latest

TLS

By default, the image will automatically generate a TLS certificate when the container is first started. The CN for the certificate is obtained from the container hostname.

If you want to provide your own certificates, they should be made available to the container at initialization within the /container/service/slapd/assets/certs directory. The following files reside within this directory:

Table 2. Files in the /container/service/slapd/assets/certs directory
Filename Description
ldap.cert The server certificate to be used.
ldap.key The private key for the server certificate.
ca.crt The certificate for the trusted certificate authority, used to validate certificates that are presented to the LDAP server (aka mutual authentication).

If you want to create your own self-signed server certificate, you can do so using OpenSSL. For example:

openssl req -x509 -newkey rsa:4096 -keyout ldap.key -out ldap.cert \
-days 365 -nodes \
-subj "/C=AU/ST=Queensland/L=Gold Coast/O=IBM/CN=isam-openldap"

License

The Dockerfile and associated scripts are licensed under the Apache License 2.0 license.

Supported Docker versions

  • This image is officially supported on Docker version v17 and later.
  • Support for older versions is provided on a best-effort basis.

Community support

If you are a licensed IBM customer, you can request support through the official IBM support channel. However, IBM does not provide support for the official osixia/openldap Docker image.

Community support is also available for this image via the DeveloperWorks communities. Both DeveloperWorks Answers and the DeveloperWorks IBM Security Identity and Access Management Forum are vibrant communities.

Supported tags

Table 3. Supported tags
Tag Purpose
latest The latest stable version.
V.R.M.F A particular release, of the format: {version}.{release}.{modfication}.{fixpack}. For example, 9.0.4.0