All HowTo's Kubernetes & Docker Linux

Create an LDAP Server Quickly – And add a few users and a group

In this article, we’re going to spin up a quick LDAP server using a Docker image. We’re going to test that a user can authenticate to it using the CLI. We’ll leave it there, but you can point any LDAP tool to it to manage it.

Create a “docker-compose.yml” file as follows:

networks:
  my-network:
    driver: bridge
services:
  openldap:
  image: bitnami/openldap:2
  ports:
    - '389:1389'
    - '636:1636'
  environment:
    - LDAP_ADMIN_USERNAME=admin
    - LDAP_ADMIN_PASSWORD=adminpassword
    - LDAP_USERS=user01,user02
    - LDAP_PASSWORDS=userpass1,userpass2
    - LDAP_ROOT=dc=example,dc=org
    - LDAP_ADMIN_DN=cn=admin,dc=example,dc=org
  networks:
    - my-network
  volumes:
    - 'openldap_data:/bitnami/openldap'
volumes:
  openldap_data:
    driver: local

Start the container:

docker-compose up -d

Confirm:

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a55f5fb9565 bitnami/openldap:2 "/opt/bitnami/script…" 14 minutes ago Up 14 minutes 0.0.0.0:389->1389/tcp, :::389->1389/tcp, 0.0.0.0:636->1636/tcp, :::636->1636/tcp docker_openldap_1

Now you should see the following ports open:

netstat -na | egrep '389|636'
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN

Now test that we can browse the LDAP directory:

ldapsearch -x -D "cn=admin,dc=example,dc=org" -W -h localhost -b "dc=example,dc=org"

With password: adminpassword

The output will look like this:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.org
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
dc: example
o: example

# users, example.org
dn: ou=users,dc=example,dc=org
objectClass: organizationalUnit
ou: users

# user01, users, example.org
dn: cn=user01,ou=users,dc=example,dc=org
cn: User1
cn: user01
sn: Bar1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQx
uid: user01
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/user01

# user02, users, example.org
dn: cn=user02,ou=users,dc=example,dc=org
cn: User2
cn: user02
sn: Bar2
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword:: cGFzc3dvcmQy
uid: user02
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user02

# readers, users, example.org
dn: cn=readers,ou=users,dc=example,dc=org
cn: readers
objectClass: groupOfNames
member: cn=user01,ou=users,dc=example,dc=org
member: cn=user02,ou=users,dc=example,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

Create a new group by populating a fresh “newgroup.ldif” file like this:

dn: cn=mygroup,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: mygroup
gidNumber: 10000
description: My group of users

And issue this command to create the new group in LDAP (enter the admin password when prompted):

ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f newgroup.ldif

Now add one of the users to the new group. The LDIF file is “newgroup.ldif” as follows:

dn: cn=mygroup,dc=example,dc=org
changetype: modify
add: memberUid
memberUid: user01

And issue the following “ldapadd” command (the same as earlier but with the different LDIF file).

ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f newgroup.ldif

Now confirm the new user exists in the right group:

ldapsearch -W -x -D "cn=admin,dc=example,dc=org" -b "cn=mygroup,dc=example,dc=org" "(cn=mygroup)" memberUid

You should see output similar to this (reduced for simplicity):

# mygroup, example.org
dn: cn=mygroup,dc=example,dc=org
memberUid: user01

At this point we’re done. You’ve created an LDAP server, populated it with a few users, created a group, and added a user to the new group.

BONUSES

The following LDIF will reset a users password:

dn: cn=user01,ou=users,dc=example,dc=org
changetype: modify
replace: userPassword
userPassword: password1

Here’s a little script to return all users from the “cn=users” container.

#!/bin/bash

USERS=`ldapsearch -x -D "cn=admin,dc=example,dc=org" -W -h localhost -b "ou=users,dc=example,dc=org" "(cn=*)"`

for MYUSERS in ${USERS}
do
echo ${MYUSERS} | grep -v '\*'| grep 'cn=' | sed 's/cn=//g' | cut -f1 -d','
done

Leave a Reply

Your email address will not be published. Required fields are marked *