{"id":32595184,"url":"https://github.com/dockopslab/ldap-sso-lab","last_synced_at":"2026-04-12T02:35:36.257Z","repository":{"id":320868035,"uuid":"1083603543","full_name":"dockopslab/ldap-sso-lab","owner":"dockopslab","description":"LDAP-first lab environment that wires OpenLDAP, Pocket ID, phpLDAPadmin, and a self-managed PKI via Docker Compose so you can prototype secure SSO flows end-to-end.","archived":false,"fork":false,"pushed_at":"2025-10-26T11:52:49.000Z","size":212,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-26T13:16:55.430Z","etag":null,"topics":["docker","docker-compose","ldap","openldap","phpldapadmin","pocket-id","sso"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dockopslab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-26T11:15:32.000Z","updated_at":"2025-10-26T11:57:35.000Z","dependencies_parsed_at":"2025-10-26T13:17:09.054Z","dependency_job_id":"0d796f07-6941-4cfc-9c70-b70f3b6c7dbf","html_url":"https://github.com/dockopslab/ldap-sso-lab","commit_stats":null,"previous_names":["dockopslab/ldap-sso-lab"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/dockopslab/ldap-sso-lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockopslab%2Fldap-sso-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockopslab%2Fldap-sso-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockopslab%2Fldap-sso-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockopslab%2Fldap-sso-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dockopslab","download_url":"https://codeload.github.com/dockopslab/ldap-sso-lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dockopslab%2Fldap-sso-lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31702580,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-11T21:17:31.016Z","status":"online","status_checked_at":"2026-04-12T02:00:06.763Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-compose","ldap","openldap","phpldapadmin","pocket-id","sso"],"created_at":"2025-10-30T03:33:18.187Z","updated_at":"2026-04-12T02:35:36.241Z","avatar_url":"https://github.com/dockopslab.png","language":"Shell","readme":"## ldap-sso-lab\n\nThis repository defines a self-contained lab for testing LDAP authentication flows with [Pocket ID](https://github.com/pocket-id/pocket-id) and future SSO providers. It provisions:\n\n- **OpenLDAP** pre-configured with TLS and optional sample data.\n- **phpLDAPadmin** to inspect and manage entries over HTTPS.\n- **Pocket ID** (OIDC provider) pre-wired to the LDAP directory.\n- **PKI helper** that issues an internal CA and per-service server certificates, renewing them automatically.\n\nEverything runs via Docker Compose, so you can iterate on schema, TLS, and IdP behavior locally or in an isolated environment.\n\n---\n\n### Repository Structure\n\n| Path | Purpose |\n| --- | --- |\n| `compose/ldap-sso-pocketid.yml` | Main Docker Compose definition for the stack. |\n| `env/` | Environment files (`*.env`) that drive container configuration; templates are committed, secrets are not. |\n| `dockerfile/` | Custom Dockerfiles for PKI, OpenLDAP, and the Pocket ID wrapper image. |\n| `scripts/` | Helper scripts used inside containers (PKI automation, entrypoints). |\n| `template/ldap-ldif/` | Example LDIF files to seed groups and users. |\n| `docs/` | Additional how-tos (Pocket ID integration notes, Synology guides, etc.). |\n| `docs/resources/` | Supporting screenshots referenced in the docs. |\n\n---\n\n### Prerequisites\n\n- Docker Engine 24+ and Docker Compose v2.\n- Make sure your user can access the Docker socket (or run commands with `sudo`).\n- Optional: `openssl` locally if you want to inspect the generated certificates.\n\n---\n\n### Configure Environment Variables\n\n1. Clone the repository and move into it:\n\n   ```sh\n   git clone https://github.com/dockopslab/ldap-sso-lab.git\n   cd ldap-sso-lab\n   ```\n\n2. Copy the provided template and tailor it to your deployment:\n\n   ```sh\n   cp env/ldap-pocketid-template.env env/ldap-pocketid.env\n   ```\n\n3. Open `env/ldap-pocketid.env` and review each section:\n\n   - **OpenLDAP**: Define `LDAP_DOMAIN`, admin credentials, ports, and TLS behavior. Set `LDAP_TLS_*` paths to `/certs/...` (they are mounted from the PKI container). Adjust base DN values to match your organization.\n   - **phpLDAPadmin**: Update `LDAP_HOST`, port, and bind credentials if you changed them above. Keep `LDAP_SSL=true` when using LDAPS.\n   - **Pocket ID**: Set `APP_URL`, `TRUST_PROXY`, and `MAXMIND_LICENSE_KEY` if geo-IP features are required.\n   - **PKI**: Customize `PKI_CA_SUBJECT` and the per-service SAN values. You can provide multiple DNS/IP entries by comma-separating them (e.g., `PKI_LDAP_SAN_DNS=ldap.example.local,ldap`). Keep the literal `,ldap` suffix so the certificate also covers the Docker hostname used by Pocket ID when dialing `ldaps://ldap:636`.\n   - **TailScale (optional)**: Fill out the auth key and route settings if you plan to expose the stack over Tailscale.\n\n4. Keep `env/ldap-pocketid.env` out of version control. The `.gitignore` already excludes `env/*.env` files except templates.\n\n---\n\n### Certificate Management\n\nThe `pki` service (built from `dockerfile/pki.Dockerfile`) runs `scripts/pki-init.sh`, which:\n\n- Issues a long-lived internal CA (`ca.crt`/`ca.key`).\n- Creates per-service server certificates with SANs derived from `PKI_*` variables.\n- Tracks a hash of the CN/SAN configuration and automatically regenerates certificates when those values change or when renewal thresholds are reached.\n- Publishes compatibility symlinks (`ldap.crt`, `ldap.key`, `ldap-ca.crt`) consumed by OpenLDAP and Pocket ID.\n\nThe custom Pocket ID image (see `dockerfile/pocket-id.Dockerfile`) copies the CA bundle from `/certs/ca.crt` into the system trust store on startup, so its Go LDAP client trusts the internal PKI without manual steps.\n\n---\n\n### Build and Run\n\nFrom the repository root:\n\n```sh\n# Build custom images (PKI, OpenLDAP, Pocket ID wrapper)\ndocker compose -f compose/ldap-sso-pocketid.yml build\n\n# Start the full stack\ndocker compose -f compose/ldap-sso-pocketid.yml up -d\n\n# Tail logs for troubleshooting\ndocker compose -f compose/ldap-sso-pocketid.yml logs -f pki openldap pocket-id\n```\n\nVolumes defined in the compose file (`pki_certs`, `ldap_data`, `ldap_config`, `pocketid_data`) persist certificates, directory data, and Pocket ID state across restarts.\n\nTo update certificates after editing `PKI_*` variables, restart the PKI container and then restart the consumers:\n\n```sh\ndocker compose -f compose/ldap-sso-pocketid.yml up -d --force-recreate pki\ndocker compose -f compose/ldap-sso-pocketid.yml restart openldap pocket-id\n```\n\n---\n\n### Network Edge (NGINX / Ingress)\n\nPocket ID requires HTTPS with a valid domain in order to register passkeys and serve the OIDC endpoints. Deploy an external reverse proxy (e.g., NGINX Proxy Manager, Traefik, Caddy) that:\n\n- Terminates TLS for your public FQDN (e.g., `auth.example.com`) using certificates issued by a trusted CA (Let’s Encrypt, internal PKI, etc.).\n- Proxies traffic to the Pocket ID container (`pocket-id-ldap-sso:1411`), adding `X-Forwarded-*` headers so `TRUST_PROXY=true` works correctly.\n- Exposes phpLDAPadmin and any other management UI only over secure channels. When possible, keep administrative endpoints private (for example, publish them exclusively through the Tailscale container or another zero-trust tunnel instead of the public edge).\n\nEnsure DNS records point to the proxy and that the domain configured in `APP_URL` matches the URL users hit, otherwise passkey registration/login will fail.\n\n---\n\n### Seeding Directory Data\n\nUse the LDIF samples under `template/ldap-ldif/` as a starting point. You can apply them from the host once OpenLDAP is running, for example:\n\n```sh\ndocker compose -f compose/ldap-sso-pocketid.yml exec openldap \\\n  ldapadd -x -D \"cn=admin,dc=example,dc=local\" -W \\\n  -f /templates/ldap-ldif/inetOrgPerson.ldif\n```\n\nAdjust the bind DN and template path to align with your environment and mounts.\n\nYou can also upload those LDIF templates through phpLDAPadmin (`phpldapadmin-ldap-sso`) by using the *Import* feature inside the web UI, which is often more convenient for quick tweaks while iterating on the directory schema.\n\n---\n\n### Additional Guides\n\n| Guide | Description |\n| --- | --- |\n| [`docs/pocketid.md`](docs/pocketid.md) | Detailed Pocket ID configuration: reverse proxy, LDAP connector, claim mapping, and OIDC app setup. |\n| [`docs/synology.md`](docs/synology.md) | Steps to bind Synology DSM to the lab LDAP and enable SSO via Pocket ID. |\n\nFeel free to extend these documents with environment-specific steps or screenshots as you harden the stack for production use.\n\n---\n\n### Official References\n\n- [OpenLDAP Project](https://www.openldap.org/)\n- [phpLDAPadmin](https://github.com/leenooks/phpLDAPadmin)\n- [Pocket ID](https://github.com/pocket-id/pocket-id)\n- [Tailscale](https://tailscale.com/)\n- [NGINX Proxy Manager](https://nginxproxymanager.com/)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockopslab%2Fldap-sso-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdockopslab%2Fldap-sso-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdockopslab%2Fldap-sso-lab/lists"}