In this article, we’re going to spin up a quick LDAP server using a Docker image. We’re going to test that a user can authenticate to it using the CLI. We’ll leave it there, but you can point any LDAP tool to it to manage it.
Create a “docker-compose.yml” file as follows:
networks: my-network: driver: bridge services: openldap: image: bitnami/openldap:2 ports: - '389:1389' - '636:1636' environment: - LDAP_ADMIN_USERNAME=admin - LDAP_ADMIN_PASSWORD=adminpassword - LDAP_USERS=user01,user02 - LDAP_PASSWORDS=userpass1,userpass2 - LDAP_ROOT=dc=example,dc=org - LDAP_ADMIN_DN=cn=admin,dc=example,dc=org networks: - my-network volumes: - 'openldap_data:/bitnami/openldap' volumes: openldap_data: driver: local
Start the container:
docker-compose up -d
Confirm:
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7a55f5fb9565 bitnami/openldap:2 "/opt/bitnami/script…" 14 minutes ago Up 14 minutes 0.0.0.0:389->1389/tcp, :::389->1389/tcp, 0.0.0.0:636->1636/tcp, :::636->1636/tcp docker_openldap_1
Now you should see the following ports open:
netstat -na | egrep '389|636' tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
Now test that we can browse the LDAP directory:
ldapsearch -x -D "cn=admin,dc=example,dc=org" -W -h localhost -b "dc=example,dc=org"
With password: adminpassword
The output will look like this:
# extended LDIF # # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.org dn: dc=example,dc=org objectClass: dcObject objectClass: organization dc: example o: example # users, example.org dn: ou=users,dc=example,dc=org objectClass: organizationalUnit ou: users # user01, users, example.org dn: cn=user01,ou=users,dc=example,dc=org cn: User1 cn: user01 sn: Bar1 objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword:: cGFzc3dvcmQx uid: user01 uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/user01 # user02, users, example.org dn: cn=user02,ou=users,dc=example,dc=org cn: User2 cn: user02 sn: Bar2 objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount userPassword:: cGFzc3dvcmQy uid: user02 uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/user02 # readers, users, example.org dn: cn=readers,ou=users,dc=example,dc=org cn: readers objectClass: groupOfNames member: cn=user01,ou=users,dc=example,dc=org member: cn=user02,ou=users,dc=example,dc=org # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5
Create a new group by populating a fresh “newgroup.ldif” file like this:
dn: cn=mygroup,dc=example,dc=org objectClass: top objectClass: posixGroup cn: mygroup gidNumber: 10000 description: My group of users
And issue this command to create the new group in LDAP (enter the admin password when prompted):
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f newgroup.ldif
Now add one of the users to the new group. The LDIF file is “newgroup.ldif” as follows:
dn: cn=mygroup,dc=example,dc=org changetype: modify add: memberUid memberUid: user01
And issue the following “ldapadd” command (the same as earlier but with the different LDIF file).
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f newgroup.ldif
Now confirm the new user exists in the right group:
ldapsearch -W -x -D "cn=admin,dc=example,dc=org" -b "cn=mygroup,dc=example,dc=org" "(cn=mygroup)" memberUid
You should see output similar to this (reduced for simplicity):
# mygroup, example.org dn: cn=mygroup,dc=example,dc=org memberUid: user01
At this point we’re done. You’ve created an LDAP server, populated it with a few users, created a group, and added a user to the new group.
BONUSES
The following LDIF will reset a users password:
dn: cn=user01,ou=users,dc=example,dc=org changetype: modify replace: userPassword userPassword: password1
Here’s a little script to return all users from the “cn=users” container.
#!/bin/bash USERS=`ldapsearch -x -D "cn=admin,dc=example,dc=org" -W -h localhost -b "ou=users,dc=example,dc=org" "(cn=*)"` for MYUSERS in ${USERS} do echo ${MYUSERS} | grep -v '\*'| grep 'cn=' | sed 's/cn=//g' | cut -f1 -d',' done