search

osixia / docker-openldap

OpenLDAP container image 🐳🌴
MIT License
4.05k stars 977 forks source link

seeding additional ldif not working ? #433

Open sivanbecker opened 4 years ago

sivanbecker commented 4 years ago

hi,

I'm using docker-compose to create both containers and simply docker-compose up works fine. once its up, i can run docker exec -it .. and inside the ldap container, run a ldapadd command using a custom ldif file i mounted into the container. the new entries are created and everything is great.

now. if i undertand correctly, if i mount my ldif file to a specific location in the container as described here, i once the container is up, my custom entries should be automatically created (that is if i use the "custom" location, not overwriting the default ldif.

for some reason i cannot do that. mounting my ldif to the folder you suggest does not work and my ldap container fails. here is docker log for this container:

image

in my docker compose i used this under the ldap service: **volumes:

what am i missing here?

obourdon commented 4 years ago

@sivanbecker, at first, seems to me that you forgot to add --copy-service argument therefore the Device or resource busy error message. This parameter is MUST-HAVE as stated in the documentation link you provided above.

Second, it is often considered good practice to specify mount paths as absolute dans not ./XXX/... (even if the README still has some examples like this). Some Docker platform like OSX do not even accept relative paths to be used:

docker: Error response from daemon: create ./example/extend-osixia-openldap/bootstrap/ldif/billy.ldif: "./example/extend-osixia-openldap/bootstrap/ldif/billy.ldif" includes invalid characters for a local volume name, only "[a-zA-Z0-9][a-zA-Z0-9_.-]" are allowed. If you intended to pass a host directory, use absolute path.

Finally, you might also want to give name(s) to the mounted resource(s) which will enforce proper ordering like in your case: ./ldif/dhcp_config.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_dhcp_config.ldif (01 file prefix added) because the startup.sh script will sort the files by their names here and here

HTH

gabrieletassoni commented 4 years ago

Hi, looking for a solution to this same problem, or something which looks the same. I'm no expert at LDAP, so there could be the cause, but the logs of the docker image don't show errors on a file called proxy.ldif or paths with custom as a part of the path, it looks like it's completely skipped. I'm on version 1.3.0 of the image and trying to enable the translucent proxy module. I created an ldif file in my /home/dockers/persistence/ldap-data/bootstrap directory, which is bind mounted to /container/service/slapd/assets/config/bootstrap/ldif/custom/, the proxy.ldif file inside the directory has these lines inside it:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: translucent
olcModuleLoad: back_mdb
olcModuleLoad: rwm

dn: olcOverlay={0}translucent,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcTranslucentConfig
olcOverlay: {0}translucent
olcTranslucentLocal: uid
structuralObjectClass: olcTranslucentConfig

include: file:///etc/ldap/schema/nis.ldif

dn: olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={2}mdb,cn=config
objectClass: olcLDAPConfig
objectClass: olcTranslucentDatabase
olcDatabase: {0}ldap
olcDbURI: ldap://REDACTED:389/dc=REDACTED,dc=com
olcDbACLBind: bindmethod=simple  timeout=0  network-timeout=0 binddn="REDACTED"  credentials="REDACTED"  tls_reqcert=never
olcDbIDAssertBind: bindmethod=simple  binddn="REDACTED" credentials="REDACTED"  mode=none  tls_reqcert=never
olcDbIDAssertAuthzFrom: {0}dn.regex:.*
olcDbRebindAsUser: TRUE
structuralObjectClass: olcLDAPConfig

I know that maybe this ldif can be wrong, but not having errors in the log makes me clueless on the debug of the problem.

Here is, for reference, the docker_compose.yml, which has command: ["--copy-service", "--loglevel", "debug" ] in it:

version: '3.7'
services:
    openldap:
        image: osixia/openldap:1.3.0
        hostname: ldap
        restart: always
        env_file:
            - ./.env
        container_name: "${LDAP_CONTAINER_NAME}"
        command: ["--copy-service", "--loglevel", "debug" ]
        environment:
            LDAP_LOG_LEVEL: "256"
            LDAP_ORGANISATION: "${LDAP_ORGANISATION}"
            LDAP_DOMAIN: "${LDAP_DOMAIN}"
            LDAP_BASE_DN: "${LDAP_BASE_DN}"
            LDAP_ADMIN_PASSWORD: "${LDAP_ADMIN_PASSWORD}"
            LDAP_CONFIG_PASSWORD: "${LDAP_CONFIG_PASSWORD}"
            LDAP_READONLY_USER: "true"
            LDAP_READONLY_USER_USERNAME: "${LDAP_READONLY_USER_USERNAME}"
            LDAP_READONLY_USER_PASSWORD: "${LDAP_READONLY_USER_PASSWORD}"
            LDAP_RFC2307BIS_SCHEMA: "true"
            LDAP_BACKEND: "mdb"
            LDAP_TLS: "true"
            LDAP_TLS_CRT_FILENAME: "ldap.crt"
            LDAP_TLS_KEY_FILENAME: "ldap.key"
            LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
            LDAP_TLS_ENFORCE: "false"
            LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
            LDAP_TLS_PROTOCOL_MIN: "3.1"
            LDAP_TLS_VERIFY_CLIENT: "demand"
            LDAP_REPLICATION: "false"
            #LDAP_REPLICATION_CONFIG_SYNCPROV: "binddn="cn=admin,cn=config" bindmethod=simple credentials=$LDAP_CONFIG_PASSWORD searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical"
            #LDAP_REPLICATION_DB_SYNCPROV: "binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials=$LDAP_ADMIN_PASSWORD searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical"
            #docker-compose.ymlLDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
            KEEP_EXISTING_CONFIG: "true"
            LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
            LDAP_SSL_HELPER_PREFIX: "ldap"
            TZ: 'Europe/Rome'
        tty: true
        stdin_open: true
        volumes:
            - $LDAP_DATA_PATH/ldap/:/var/lib/ldap/
            - $LDAP_DATA_PATH/slapd.d/:/etc/ldap/slapd.d/
            - $LDAP_DATA_PATH/certs/:/container/service/slapd/assets/certs/
            - $LDAP_DATA_PATH/bootstrap:/container/service/slapd/assets/config/bootstrap/ldif/custom
        ports:
            - "389:389"
            - "636:636"
        domainname: "${LDAP_HOSTNAME}" # important: same as hostname
        hostname: "${LDAP_HOSTNAME}"
        networks:
            - default
    ldap-user-manager:
        image: wheelybird/ldap-user-manager:v1.1
        restart: always
        env_file:
            - ./.env
        container_name: "${WEBUI_CONTAINER_NAME}"
        environment:
            LDAP_ADMINS_GROUP: "${WEBUI_LDAP_ADMINS_GROUP}"
            LDAP_BASE_DN: "${LDAP_BASE_DN}"
            LDAP_URI: "ldap://${LDAP_SERVER_ADDR}"
            LDAP_ADMIN_BIND_DN: "cn=admin,${LDAP_BASE_DN}"
            LDAP_ADMIN_BIND_PWD: "${LDAP_ADMIN_PASSWORD}"
            LDAP_REQUIRE_STARTTLS: "FALSE"
            EMAIL_DOMAIN: "${LDAP_DOMAIN}"
            SERVER_HOSTNAME: "${WEBUI_SERVER_HOSTNAME}"
            SITE_NAME: "${LDAP_ORGANISATION} Accounts Management"
            VIRTUAL_HOST: "${WEBUI_SERVER_HOSTNAME}" # For self management of nginx proxy_pass
            NO_HTTPS: "true"
        depends_on:
            - openldap
        networks:
            - default

networks:
    default:
        external:
            name: ${NETWORK}

Thank you for the help. Gabriele