4.3 KiB
OpenLDAP
OpenLDAP 2.6 container running on Ubuntu 26.04 with cn=config (slapd-config) database.
Optional Bootstrap Accounts CSV Files
Bootstrap reads account files from /bootstrap/accounts inside the container.
With the current compose setup, this maps to:
~/app-data/openldap/accounts
Optional files:
users.csv:uid,gn,sn,mailadmins.csv:uid,gn,sn,mailposix-users.csv:uid,gn,sn,mail,uidNumber,gidNumber
You can provide any subset of these files; missing files are skipped.
Rows starting with # are ignored.
Changing the password
Use ldappasswd to change the password:
BASE_DN="dc=koszewscy,dc=waw,dc=pl"
USER_DN="cn=admin,$BASE_DN"
ldappasswd -x -D "$USER_DN" -W -S "$USER_DN"
or use a oneliner:
DN="cn=admin,dc=koszewscy,dc=waw,dc=pl" ldappasswd -x -D "$DN" -W -S "$DN"
Change the password for the Admin:
change_password.ldif:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}newhashedpassword
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f change_password.ldif
LDIF file format
The basic form of an entry is:
# comment
dn: <distinguished name>
<attrdesc>: <attrvalue>
<attrdesc>: <attrvalue>
...
Lines may be continued by starting the next line with a single space or tab.
dn: cn=Barbara J Jensen,dc=example,dc=
com
cn: Barbara J
Jensen
is equivalent to:
dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen
Multiple values for the same attribute are represented by repeating the attribute description:
dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen
cn: Babs Jensen
If an attribute value contains a non-printable character, it must be base64-encoded and prefixed with a single colon:
dn: cn=Barbara J Jensen,dc=example,dc=com
cn:: QmFyYmFyYSBKIEplbnNlbgo=
Binary files (e.g. images) can be included in the LDIF file by using the "file:" prefix:
dn: cn=Barbara J Jensen,dc=example,dc=com
jpegPhoto:< file:///home/bjensen/photo.jpg
Multiple entries are separated by a blank line. Binary files like the one above may also be included in as Base64-encoded values.
The full specification is available at https://datatracker.ietf.org/doc/html/rfc2849.
Accessing cn=config
SASL EXTERNAL authenticates via the Unix socket — uid=0 maps to the cn=config superuser. The commands must run inside the container where the socket is accessible.
Browse the entire cn=config tree
ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b cn=config
Browse a specific database entry
ldapsearch -Q -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}mdb,cn=config"
Modify cn=config
ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
EOF
Verify EXTERNAL identity
ldapwhoami -Q -Y EXTERNAL -H ldapi:///
Expected: dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Editing Access Control Rules
- Inserting a New Rule at the Top
# filename: insert_rule.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to *
by dn.exact="cn=security-scanner,dc=example,dc=com" read break
- Deleting a Specific Rule
# filename: delete_rule.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}
- Updating an Existing Rule (In-Place)
# filename: update_rule.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by group.exact="cn=it-admins,dc=example,dc=com" write
- Reordering the Entire Stack
# filename: reorder_rules.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.exact="cn=security-scanner,dc=example,dc=com" read break
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by group.exact="cn=it-admins,dc=example,dc=com" write
olcAccess: {2}to *
by self read
Accessing the DIT
ldapsearch -x -H ldap://localhost \
-D "cn=admin,dc=koszewscy,dc=waw,dc=pl" -W \
-b "dc=koszewscy,dc=waw,dc=pl"
Verify readonly service account bind
ldapwhoami -x -H ldap://localhost \
-D "cn=readonly,ou=service-accounts,dc=koszewscy,dc=waw,dc=pl" -W