{"id":19682901,"url":"https://github.com/worteks/docker-ldap","last_synced_at":"2026-05-14T00:41:47.985Z","repository":{"id":76091645,"uuid":"192699662","full_name":"Worteks/docker-ldap","owner":"Worteks","description":"OpenLDAP Docker Image","archived":false,"fork":false,"pushed_at":"2019-11-23T18:54:54.000Z","size":95,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-27T07:27:16.541Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Worteks.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-19T09:17:27.000Z","updated_at":"2023-06-25T12:28:19.000Z","dependencies_parsed_at":"2023-05-22T11:00:34.393Z","dependency_job_id":null,"html_url":"https://github.com/Worteks/docker-ldap","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Worteks/docker-ldap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Worteks%2Fdocker-ldap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Worteks%2Fdocker-ldap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Worteks%2Fdocker-ldap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Worteks%2Fdocker-ldap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Worteks","download_url":"https://codeload.github.com/Worteks/docker-ldap/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Worteks%2Fdocker-ldap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33005044,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T13:14:54.681Z","status":"ssl_error","status_checked_at":"2026-05-13T13:14:51.610Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T18:12:48.969Z","updated_at":"2026-05-14T00:41:47.978Z","avatar_url":"https://github.com/Worteks.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SweetLDAP\n\nTODO?: https://wiki.gnupg.org/LDAPKeyserver\n\nWsweet OpenLDAP image, customized for StatefulSet auto-configuration, providing\nwith schema update capabilities, embedding Wsweet custom schemas.\n\nWARNING: updates currently do not support LemonLDAP-NG site re-configuration.\nWhenever a service or virtualhost is added or reconfigured, we would have to\nupdate existing deployments configurations. FIXME / some llng cli magic may help\nhere.\n\nHistorically forked from openshift/openldap.\n\nBuild with:\n\n```\n$ make build\n```\n\nIf you want to try it quickly on your local machine after make, run:\n\n```\n$ make run\n```\n\nStart Demo or Cluster in OpenShift:\n\n```\n$ make ocdemo\n$ make ocprod\n```\n\nCleanup OpenShift assets:\n\n```\n$ make ocpurge\n```\n\nSchema Sources\n---------------\n\n - NextCloud cloudQuota: https://github.com/ValV/postfix-dovecot-ldap-schema/blob/master/postfix-dovecot.schema\n - BlueMind mailQuota: http://www.openldap.org/lists/openldap-technical/201007/msg00001.html\n - sshPubKey: https://github.com/AndriiGrytsenko/openssh-ldap-publickey/blob/master/misc/openssh-lpk-openldap.schema\n - FusionDirectory: https://github.com/fusiondirectory/fusiondirectory/tree/master/contrib/openldap\n - Qmail / unused: https://github.com/amery/qmail/blob/master/qmail.schema\n - Postfix / unused: https://github.com/ValV/postfix-dovecot-ldap-schema/blob/master/postfix-dovecot.schema\n\nCustom OIDs\n------------\n\n| attribute OID | Name | Description | Equality | Substring | Syntax | Single-Value | Introduced In | Last Patched |\n| :------------------------------- | --------------------------------------------- | ------------------------- | ------------------ | ---------------------------- | ------------------------------------ | ------------ | ------------- | ------------ |\n| `0.9.2342.19200300.100.1.3` | `mail` `rfc822Mailbox` | RFC1274: RFC822 Mailbox | caseIgnoreIA5Match | caseIgnoreIA5SubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.26{256}` | Yes | `0.0.0` | `0.0.7` |\n| `1.3.6.1.4.1.7914.1.2.1.5` | `mailQuota` `mailQuotaSize` | Mail Storage User Quota | caseExactMatch | caseIgnoreSubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.44` | Yes | `0.0.0` | |\n| `1.3.6.1.4.1.24552.500.1.1.1.13` | `sshPublicKey` | OpenSSH Public key | octetStringMatch | | `1.3.6.1.4.1.1466.115.121.1.40` | No | `0.0.0` | |\n| `1.3.6.1.4.1.39430.1.1.1` | `cloudQuota` `ownCloudQuota` `nextCloudQuota` | Cloud Storage User Quota | caseExactMatch | caseIgnoreSubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.44` | Yes | `0.0.0` | |\n| `1.3.6.1.4.1.39430.1.1.3` | `mailBackupAddress` | User Backup Email Address | caseIgnoreIA5Match | caseIgnoreIA5SubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.26{256}` | Yes | `0.0.7` | |\n| `1.3.6.1.4.1.39430.1.1.4` | `mailAlternateAddress` | Email Alias | caseIgnoreIA5Match | caseIgnoreIA5SubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.26{256}` | No | `0.0.7` | |\n| `1.3.6.1.4.1.39430.1.1.5` | `usedMailQuota` | Used Cloud Storage | caseExactMatch | caseIgnoreSubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.44` | Yes | `0.0.10` | |\n| `1.3.6.1.4.1.39430.1.1.6` | `usedCloudQuota` | Used Mail Storage | caseExactMatch | caseIgnoreSubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.44` | Yes | `0.0.10` | |\n| `1.3.6.1.4.1.39430.1.1.7` | `profileId` | Wsweet Profile Id | caseIgnoreMatch | caseIgnoreSubstringsMatch | `1.3.6.1.4.1.1466.115.121.1.15{40}` | Yes | `0.0.10` | |\n\n| objectclass OID | Name | Must | May | Auxiliary | Introduced In | Last Patched |\n| :----------------------------- | ------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------- | ------------- | ------------ |\n| `1.3.6.1.4.1.10098.1.2.1.19.6` | `gosaAccount` | `cn` | | Yes | `0.0.9` | |\n| `1.3.6.1.4.1.39430.1.2.1` | `sweetUser` | | `mailQuota` `nextCloudQuota` `sshPublicKey` `mailAlternateAddress` `mailBackupAddress` `usedMailQuota` `usedCloudQuota` `profileId` | Yes | `0.0.0` | `0.0.10` |\n| `1.3.6.1.4.1.39430.1.1.2` | `sweetGroup` | `mail` | `mailAlternateAddress` | Yes | `0.0.0` | `0.0.7` |\n\nEnvironment variables and volumes\n----------------------------------\n\nThe image recognizes the following environment variables that you can set during\ninitialization by passing `-e VAR=VALUE` to the Docker `run` command.\n\n| Variable name | Description | Default |\n| :---------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------- |\n| `OPENLDAP_AUTHPROXY_PASSWORD` | OpenLDAP AuthProxy Password | `secret` |\n| `OPENLDAP_BIND_LDAP_PORT` | OpenLDAP Plaintext Bind Port | `389` |\n| `OPENLDAP_BIND_LDAPS_PORT` | OpenLDAP TLS Bind Port | `636` |\n| `OPENLDAP_BLUEMIND_PASSWORD` | OpenLDAP BlueMind Password | `secret` |\n| `OPENLDAP_CODIMD_PASSWORD` | OpenLDAP CodiMD Password | `secret` |\n| `OPENLDAP_DEBUG_LEVEL` | OpenLDAP Server Debug Level | `256` |\n| `OPENLDAP_DEMO_PASSWORD` | Password for OpenLDAP Demo Accounts | unset, defining it toggles Demo Accounts creation |\n| `OPENLDAP_DOKUWIKI_PASSWORD` | OpenLDAP DokuWiki Password | `secret` |\n| `OPENLDAP_FUSION_PASSWORD` | OpenLDAP FusionDirectory Password | `secret` |\n| `OPENLDAP_GLOBAL_ADMIN_PASSWORD` | Password for OpenLDAP Global Admin | unset, defining it toggles Global Admin and default groups creation |\n| `OPENLDAP_HOST_ENDPOINT` | OpenLDAP Endpoint configuring LemonLDAP | `openldap` |\n| `OPENLDAP_HOSTNAME` | OpenLDAP Hostname - testing replication | Container hostname |\n| `OPENLDAP_INIT_DEBUG_LEVEL` | OpenLDAP Server Bootstrap Debug Level | `256` |\n| `OPENLDAP_JENKINS_SAML_SIGNING_CERTIFICATE` | Jenkins/LemonLDAP SAML Signing Certificate | `x509data` |\n| `OPENLDAP_JENKINS_SAML_ENCRYPTION_CERTIFICATE` | Jenkins/LemonLDAP SAML Encryption Certificate | `x509data` |\n| `OPENLDAP_LEMONLDAP_HTTPS` | LemonLDAP HTTPS Toggle | unset, defining it toggles HTTPS-related configuration |\n| `OPENLDAP_LEMONLDAP_PASSWORD` | OpenLDAP LemonLDAP Password | `secret` |\n| `OPENLDAP_LEMONLDAP_SESSIONS_PASSWORD` | OpenLDAP LemonLDAP Sessions Storage | `secret` |\n| `OPENLDAP_LEMON_HTTP_PORT` | OpenLDAP LemonLDAP Reload HTTP Port | `8080` |\n| `OPENLDAP_LEMON_SAML_ENC_PUBLIC_KEY` | LemonLDAP SAML Encryption Public Key | Generated on boot |\n| `OPENLDAP_LEMON_SAML_ENC_PRIVATE_KEY` | LemonLDAP SAML Encryption Private Key | Generated on boot |\n| `OPENLDAP_LEMON_SAML_SIG_PUBLIC_KEY` | LemonLDAP SAML Signing Public Key | Generated on boot |\n| `OPENLDAP_LEMON_SAML_SIG_PRIVATE_KEY` | LemonLDAP SAML Signing Private Key | Generated on boot |\n| `OPENLDAP_MEDIAWIKI_PASSWORD` | OpenLDAP MediaWiki Password | `secret` |\n| `OPENLDAP_MONITOR_PASSWORD` | OpenLDAP Monitor Password | `secret` |\n| `OPENLDAP_NEXTCLOUD_PASSWORD` | OpenLDAP NextCloud Password | `secret` |\n| `OPENLDAP_ORG_SHORT` | LemonLDAP Organization Name | Based on `OPENLDAP_ROOT_DOMAIN`, default produces `demo` |\n| `OPENLDAP_ROCKET_PASSWORD` | OpenLDAP Rocket Password | `secret` |\n| `OPENLDAP_ROOT_DN_RREFIX` | OpenLDAP `olcRootDN` Prefix | `cn=admin` |\n| `OPENLDAP_ROOT_DN_SUFFIX` | OpenLDAP `olcSuffix` Suffix | seds `OPENLDAP_ROOT_DOMAIN`, default produces `dc=demo,dc=local` |\n| `OPENLDAP_ROOT_DOMAIN` | Wsweet Endpoint Root Domain Name | `demo.local` |\n| `OPENLDAP_ROOT_PASSWORD` | OpenLDAP `olcRootPW` Password | `secret` |\n| `OPENLDAP_SMTP_SERVER` | LemonLDAP SMTP relay | `smtp.demo.local` |\n| `OPENLDAP_SSO_CLIENT_PASSWORD` | OpenLDAP Generic SSO/SAML Password | `secret` |\n| `OPENLDAP_SSP_CLIENT_PASSWORD` | OpenLDAP SelfServicePassword Password | `secret` |\n| `OPENLDAP_STATEFULSET_NAME` | OpenLDAP StatefulSet Name - setting up repl | `openldap` |\n| `OPENLDAP_SYNCREPL_PASSWORD` | OpenLDAP Syncrepl Password | `secret` |\n| `OPENLDAP_WEKAN_PASSWORD` | OpenLDAP Wekan Password | `secret` |\n| `OPENLDAP_WHITEPAGES_PASSWORD` | OpenLDAP WhitePages Password | `secret` |\n| `OPENLDAP_WSWEET_PASSWORD` | OpenLDAP Wsweet Password | `secret` |\n\nThe following table details the possible debug levels.\n\n| Debug Level | Description |\n| ----------- | --------------------------------------------- |\n| -1 | Enable all debugging |\n| 0 | Enable no debugging |\n| 1 | Trace function calls |\n| 2 | Debug packet handling |\n| 4 | Heavy trace debugging |\n| 8 | Connection management |\n| 16 | Log packets sent and recieved |\n| 32 | Search filter processing |\n| 64 | Configuration file processing |\n| 128 | Access control list processing |\n| 256 | Stats log connections, operations and results |\n| 512 | Stats log entries sent |\n| 1024 | Log communication with shell backends |\n| 2048 | Log entry parsing debugging |\n\nYou can also set the following mount points by passing the `-v /host:/container` flag to Docker.\n\n| Volume mount point | Description |\n| :------------------ | ---------------------------------- |\n| `/var/lib/ldap` | OpenLDAP data directory |\n| `/etc/openldap/` | OpenLDAP configuration directory. |\n\nCluster Auto Configuration\n---------------------------\n\nThis image can be used setting up N-Way clusters.\n\nIt has been made with Kubernetes StatefulSets in mind, and would assume that\nmembers from a cluster are named according to a deployment name and an\nincremental numeric identifier. Assuming our statefulset is named `openldap` and\nhas `3` replicas, in the `sample` project, then the following DNS records would\neventually identify our cluster members:\n\n * openldap-0.openldap.sample.svc\n * openldap-1.openldap.sample.svc\n * openldap-2.openldap.sample.svc\n\nKnowing this, containers started from our image would check for their hostname.\nIf we can match such a numeric identifier suffixing our hostname, then we would\ntry and detect other members, starting from `0` and incrementing a counter\nuntil `ldapsearch` fails querying for an OpenLDAP service.\n\nHaving identified potentials members to join our cluster, our containers would\ncheck for a `/etc/openldap/.repl-configured` file, which holds the list of\nmembers we've already configured replication with. For every detected neighbor\nmissing in that list, we would add an `olcSyncRepl` entry to the hdb database.\n\nThis process has a critical implication: bootstrapping a cluster, using a Serial\ndeployment policy would be recommended, ensuring services start in an orderly\nmanner. The first node would boot and provision either the demo or production\ninitial dataset. Then the second one would setup replication against the first\none. And the third one, against the first and second nodes.\n\nAt which point, we would want to reboot the first member of our cluster, such\nas it would detect the second and third nodes, setting up its replication.\nAnd eventually, the second node, ensuring it would have a link replicating\ndata from the third node.\n\nThere is no easy way to know about a StatefulSet size from a Kubernetes\ncontainer point of view. DNS records for non-existing members of a cluster would\nstill resolve, there is no environment variable, the only way to know for sure\nwould be to use the OpenShift client querying its API. Although doing so would\nimply adding +150-200M binary to our image, which doesn't make much sense.\n\nUpdating Schemas\n-----------------\n\nUpdating existing databases can be done applying LDIFs while booting a new image.\n\nIn the `./config/config-updates` folder, we would find our first patches:\n\n```\n$ ls config/config-updates\n0.0.1 0.0.2 0.0.3 ... 0.0.X\n```\n\nAll OpenLDAP servers would have a file `/etc/openldap/VERSION`, marking which\npatch was last applied, allowing us to update schemas refreshing our images.\nCreate your own version:\n\n```\n$ mkdir -p config/config-updates/0.0.42\n```\n\nDepending on what we'll want to update, we could create several folders in\nthere. Say we want to apply changes to the `cn=config` database, then we\nwould create a `cn=config` sub-directory. Those changes would be applied\n*to all OpenLDAP members* of a cluster, as a first step applying a new version.\n\n```\n$ mkdir -p config/config-updates/0.0.42/cn=config\n$ cat \u003c\u003cEOF \u003econfig/config-updates/0.0.42/cn=config/00-acl.ldif\ndn: olcDatabase={2}hdb,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: {0}to attrs=userPassword xxxx\nEOF\n```\n\nThe second step applying an update would be to load new schemas. Doing so, we\nwould create a `schemas` sub-directory. Schemas are loaded\n*on all OpenLDAP members* of a cluster. Loading OpenLDAP main schemas, we could\nlink them out of `/etc/openldap/schemas`, instead of re-installing new copies:\n\n```\n$ mkdir -p config/config-updates/0.0.42/schemas\n$ ln -sf /etc/openldap/schemas/nis.ldif config/config-updates/0.0.42/schemas/00-nis.ldif\n```\n\nOnce our OpenLDAP configuration and schemas are up-to-date, we may want to apply\npatches to our hdb databases. Those updates would only apply\n*on the first OpenLDAP member* of a cluster, as they are meant to be replicated\nand, as such, shouldn't be applied twice. We could store ldifs creating new\nobjects into a `main` sub-directory:\n\n```\n$ mkdir -p config/config-updates/0.0.42/main\n$ cat \u003c\u003cEOF \u003econfig/config-updates/0.0.42/main/00-mediawiki.ldif\ndn: cn=mediawiki,ou=services,OPENLDAP_SUFFIX\nobjectClass: top\nobjectClass: person\ncn: mediawiki\ndescription: Service Account for MediaWiki\nsn: MediaWiki service account\nuserPassword: MEDIAWIKI_SA_PASSWORD_HASH\nEOF\n```\n\nThat being done, we could want to run a few shell scripts applying some logic\nplain ldifs won't be able to offer:\n\n```\n$ mkdir -p config/config-updates/0.0.42/scripts\n$ cat \u003c\u003cEOF \u003econfig/config-updates/0.0.42/scripts/00-do-something.sh\n#!/bin/sh\n\nldapsearch -D cn=wsweet,ou=services,\\$OPENLDAP_ROOT_DN .... | while read line\n do\n\tif test something; then\n\t ldapmodify xxx\n\tfi\n done\n\nexit \\$?\nEOF\n$ chmod +x config/config-updates/0.0.42/scripts/00-do-something.sh\n```\n\nFinally, we may want to apply ldifs patching existing objects. A `patch`\nsub-directory could be used:\n\n```\n$ mkdir -p config/config-updates/0.0.42/patch\n$ cat \u003c\u003cEOF \u003econfig/config-updates/0.0.42/patch/00-ppolicy.ldf\ndn: cn=autoLockout,ou=policies,OPENLDAP_SUFFIX\nchangetype: modify\nreplace: pwdSafeModify\npwdSafeModify: FALSE\nEOF\n```\n\nHaving installed all our ldifs, you'ld have noticed we used several placeholders\nsuch as `OPENLDAP_SUFFIX`, or `MEDIAWIKI_SA_PASSWORD_HASH`. We would want to\ncheck for their proper substitions with runtime variables:\n\n```\n$ vi ./config/run-openldap.sh\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworteks%2Fdocker-ldap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworteks%2Fdocker-ldap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworteks%2Fdocker-ldap/lists"}