koszewscy/openldap
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add missing Kerberos configuration and refactor misleading names.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-17 00:50:41 +02:00
parent c04c4e9026
commit b02c0a5028
5 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+4 -3
View File
@@ -221,8 +221,9 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo
|---|---|---|
| `KERBEROS_ENABLE` | `0` | Set to `1` to enable |
| `KRB5_REALM` | — | Kerberos realm (uppercase, e.g. `EXAMPLE.ORG`) |
| `KRB5_SASL_HOST` | — | Hostname matching the `ldap/<host>@REALM` service principal |
| `KRB5_KTNAME` | `/etc/ldap/ldap.keytab` | Path to the keytab inside the container |
| `KRB5_KDC_HOST` | — | Hostname of the Kerberos KDC |
| `LDAP_HOSTNAME` | — | Hostname matching the `ldap/<host>@REALM` service principal |
| `KRB5_KTNAME` | `/etc/krb5.keytab` | Path to the keytab inside the container |
### Principal-to-DN mapping
@@ -242,7 +243,7 @@ Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bo
```bash
container cp kerberos:/tmp/ldap.keytab ~/app-data/openldap/ldap.keytab
```
3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/ldap/ldap.keytab`) and set the Kerberos env vars in `openldap.env`.
3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/krb5.keytab`) and set the Kerberos env vars in `openldap.env`.
4. On first start, bootstrap applies the SASL configuration automatically. For an already-initialised instance apply it manually:
```bash
ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<'EOF'
bootstrap/init.py
+2 -2
View File
@@ -19,7 +19,7 @@ password = os.environ.get("LDAP_PASSWORD") or "changeit"
tls_enabled = os.environ.get("TLS_ENABLED") == "1"
kerberos_enabled = os.environ.get("KERBEROS_ENABLE") == "1"
krb5_realm = os.environ.get("KRB5_REALM", "")
krb5_sasl_host = os.environ.get("KRB5_SASL_HOST", "")
ldap_hostname = os.environ.get("LDAP_HOSTNAME", "")
admin_dn = f"cn=admin,{base_dn}"
@@ -121,7 +121,7 @@ def main():
apply_ldif(LDIF_DIR / "config-tls.ldif", env)
if kerberos_enabled:
apply_ldif(LDIF_DIR / "config-sasl.ldif", env,
base_dn=base_dn, krb5_realm=krb5_realm, sasl_host=krb5_sasl_host)
base_dn=base_dn, krb5_realm=krb5_realm, ldap_hostname=ldap_hostname)
print("cn=config updated.")
bootstrap/ldif/config-sasl.ldif
+1 -1
View File
@@ -1,7 +1,7 @@
dn: cn=config
changetype: modify
replace: olcSaslHost
olcSaslHost: {{ sasl_host }}
olcSaslHost: {{ ldap_hostname }}
-
replace: olcSaslRealm
olcSaslRealm: {{ krb5_realm }}
env.example
+1 -1
View File
@@ -8,5 +8,5 @@ LDAP_ADMIN_PASSWORD=changeit
KERBEROS_ENABLE=0
KRB5_REALM=EXAMPLE.ORG
KRB5_KDC_HOST=kerberos.example.org
KRB5_SASL_HOST=ldap.example.org
LDAP_HOSTNAME=ldap.example.org
KRB5_KTNAME=/etc/krb5.keytab
scripts/accounts_editor.py
+2 -1
View File
@@ -21,7 +21,8 @@ ENV_VARS = {
"LDAP_ADMIN_PASSWORD": "Admin Password",
"KERBEROS_ENABLE": "Enable Kerberos",
"KRB5_REALM": "Realm",
"KRB5_SASL_HOST": "SASL Host",
"KRB5_KDC_HOST": "KDC Host",
"LDAP_HOSTNAME": "LDAP Hostname",
"KRB5_KTNAME": "Keytab Path",
}