https://github.com/foundata/oci-openldap-declarative

OCI container image config: OpenLDAP Declarative (LDIF-file-defined directory state, reset on startup)
https://github.com/foundata/oci-openldap-declarative

ldif oci-image openldap openldap-server openldap-slapd podman podman-image

Last synced: 4 months ago
JSON representation

OCI container image config: OpenLDAP Declarative (LDIF-file-defined directory state, reset on startup)

• Host: GitHub
• URL: https://github.com/foundata/oci-openldap-declarative
• Owner: foundata
• Created: 2025-12-17T15:00:13.000Z (5 months ago)
• Default Branch: main
• Last Pushed: 2025-12-17T21:50:53.000Z (5 months ago)
• Last Synced: 2025-12-21T04:36:12.700Z (5 months ago)
• Topics: ldif, oci-image, openldap, openldap-server, openldap-slapd, podman, podman-image
• Language: Shell
• Homepage: https://foundata.com/en/projects/oci-images/#openldap-declarative
• Size: 65.4 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSES/GPL-3.0-or-later.txt

Awesome Lists containing this project

README

          
# OCI Image: OpenLDAP Declarative

An [OpenLDAP](https://www.openldap.org/) server with declarative directory state. [LDAP Data Interchange Format (LDIF)](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) files are the single source of truth. On startup, the container reconciles the directory to the state described by the LDIF inputs. Runtime changes are not persisted; restarting the container always produces the same directory state for the same LDIF.

Main features of the [OCI](https://opencontainers.org/) image:

- **Declarative, idempotent directory state** defined entirely by LDIF files (reset-on-restart semantics).

- **Support for unprivileged execution (rootless)**.

- **Fully featured OpenLDAP**, plus essential debugging utilities and no unnecessary extras.

This image is intended for small, isolated LDAP directories where reproducibility, auditability, and deterministic behavior are required. Typical use cases include defense-in-depth architectures where applications operate with a minimal, self-contained user directory.

## Table of contents

- [Tags](#tags)

- [How to build](#build)

- [How to use](#usage)

- [Non-goals / Limitations](#limitations)

- [Licensing, copyright](#licensing-copyright)

  - [Container configuration, repository](#licensing-copyright-project)

  - [Container image](#licensing-copyright-image)

- [Author information](#author-information)

## Tags

- `latest`: Latest release of this image.

## How to build

To build the image locally, do the following:

1. [Install Podman](https://podman.io/docs/installation).

2. Clone or pull the latest changes from the [`foundata/oci-openldap-declarative` git repository](https://github.com/foundata/oci-openldap-declarative).

3. Change into the directory and execute the [build command](https://docs.podman.io/en/latest/markdown/podman-build.1.html):

   ```bash

   podman build -t openldap-declarative .

   ```

## How to use

1. [Install Podman](https://podman.io/docs/installation).

2. Use the image you built earlier or pull the image from a registry:

   - [Quay](https://quay.io/repository/foundata/openldap-declarative):

     ```bash

     podman pull quay.io/foundata/openldap-declarative:latest

     ```

   - [Docker Hub](https://hub.docker.com/r/foundata/openldap-declarative):

     ```bash

     podman pull docker.io/foundata/openldap-declarative:latest

     ```

3. Run a container from the image:

   ```bash

   podman run --detach \

    --name ldap-foobar \

    --env LDAP_DOMAIN="foobar.svc.local" \

    --env LDAP_ADMIN_PASSWORD="SecurePass123" \

    --publish 127.0.0.1:1389:1389 \

    --volume ./examples/basic/config:/ldap/config:ro,Z \

    --volume ./examples/basic/data:/ldap/data:ro,Z \

    openldap-declarative:latest

   ```

   With TLS:

   ```bash

   podman run --detach \

    --name ldap-foobar \

    --env LDAP_DOMAIN="foobar.svc.local" \

    --env LDAP_ADMIN_PASSWORD="SecurePass123" \

    --env LDAP_TLS_ENABLED="true" \

    --publish 127.0.0.1:1389:1389 \

    --publish 127.0.0.1:1636:1636 \

    --volume ./examples/basic/config:/ldap/config:ro,Z \

    --volume ./examples/basic/data:/ldap/data:ro,Z \

    --volume ./examples/basic/tls:/ldap/tls:ro,Z \

    openldap-declarative:latest

   ```

4. You can now work with the container:

   ```bash

   podman ps

   # List all objects (org, groups, users, ...)

   ldapsearch -x -H ldap://127.0.0.1:1389 \

      -D "cn=admin,dc=foobar,dc=svc,dc=local" \

      -w "SecurePass123" \

      -b "dc=foobar,dc=svc,dc=local" "(objectClass=*)"

   # List all users in "ou=people"

   ldapsearch -x -H ldap://127.0.0.1:1389 \

      -D "cn=admin,dc=foobar,dc=svc,dc=local" \

      -w "SecurePass123" \

      -b "ou=people,dc=foobar,dc=svc,dc=local" "(objectClass=inetOrgPerson)"

   ```

This image is built and tested with [Podman](https://podman.io/) only. We currently do *not* support [Docker](https://www.docker.com/) (but it might work).

## Non-goals / Limitations

This image is intentionally scoped for declarative, file-defined LDAP directories. It is **not** intended to be a general-purpose LDAP service.

Specifically, it does **not** provide:

- Persistent directory state across container restarts.

- Support for interactive or imperative LDAP administration.

- Dynamic runtime modification of users, groups, or schemas.

- Replication, clustering, or high-availability setups.

- Large-scale or multi-tenant directory deployments.

Any change to the directory must be expressed by modifying the LDIF inputs and restarting the container. For mutable, stateful, or large-scale LDAP deployments, use a traditional or managed LDAP service instead.

## Licensing, copyright

### Container configuration, repository

Copyright (c) 2025 foundata GmbH (https://foundata.com)

This project is licensed under the GNU General Public License v3.0 or later (SPDX-License-Identifier: `GPL-3.0-or-later`), see [`LICENSES/GPL-3.0-or-later.txt`](LICENSES/GPL-3.0-or-later.txt) for the full text.

The [`REUSE.toml`](REUSE.toml) file provides detailed licensing and copyright information in a human- and machine-readable format. This includes parts that may be subject to different licensing or usage terms, such as third-party components. The repository conforms to the [REUSE specification](https://reuse.software/spec/). You can use [`reuse spdx`](https://reuse.readthedocs.io/en/latest/readme.html#cli) to create a [SPDX software bill of materials (SBOM)](https://en.wikipedia.org/wiki/Software_Package_Data_Exchange).

[![REUSE status](https://api.reuse.software/badge/github.com/foundata/oci-openldap-declarative)](https://api.reuse.software/info/github.com/foundata/oci-openldap-declarative)

### Container image

The pre-built image itself bundles various software components along with direct and indirect dependencies, which are subject to their respective licenses. When using the pre-built image, **you are responsible for ensuring that your usage complies with all relevant licenses** for the software contained within the image.

For further licensing information about the software contained in this image, please refer to the following resources:

* https://www.debian.org/legal/licenses/

## Author information

This project was created and is maintained by foundata GmbH (https://foundata.com).