Sign in Subscribe
Cybersecurity

Deploy an OpenLDAP server with a Password Policy using Docker Compose

I hate LDAP, but one of the most important configurations is enforcing a password policy.

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory services, such as user and group information. LDAP servers are commonly used in organizations to store and manage user and group data, as well as to handle authentication and authorization. Docker-compose is a tool that allows you to define and manage multi-container Docker applications. It can be used to easily set up and run an LDAP server in a containerized environment. In this post, we will discuss how to install an LDAP server with a password policy using docker-compose.

Building the OpenLDAP Docker Container

To install an LDAP server with a password policy using docker-compose, you can follow these steps:

Create a docker-compose.yml file in a new directory and add the following content to it:

version: '3'

services:
  ldap:
    image: bitnami/openldap:latest
    container_name: openldap
    environment:
      - LDAP_ORGANISATION=My Organization
      - LDAP_DOMAIN=example.com
      - LDAP_ADMIN_PASSWORD=password
      - LDAP_ROOT_PASSWORD=password
      - ALLOW_EMPTY_PASSWORD=yes
      - LDAP_TLS=no
    ports:
      - "389:389"
      - "636:636"
    volumes:
      - ./ldap-init:/container/service/slapd/assets/config/bootstrap/ldif/custom
      - ./ldap-data:/bitnami/openldap

This docker-compose.yml file will start an LDAP server using the bitnami/openldap Docker image, with the following settings:

  • The LDAP server will be named "openldap" and will be accessible on port 389 for unencrypted connections and port 636 for encrypted connections.
  • The LDAP organization and domain name will be set to "My Organization" and "example.com", respectively.
  • The administrator and root passwords will be set to "password".
  • The ALLOW_EMPTY_PASSWORD setting will be set to "yes", which allows users to log in without a password.
  • TLS will be disabled for the LDAP server.
  • The ./ldap-init directory on the host machine will be mapped to the /container/service/slapd/assets/config/bootstrap/ldif/custom directory in the container, and the ./ldap-data directory on the host machine will be the configuration settings for the OpenLDAP instance.

Building the Configuration File

Create a new file called ldap-init/password-policy.ldif in the same directory as the docker-compose.yml file and add the following content to it:

dn: cn=ppolicy,dc=example,dc=com
objectClass: device
objectClass: top
cn: ppolicy

dn: ou=policies,cn=ppolicy,dc=example,dc=com
objectClass: organizationalUnit
ou: policies

dn: cn=default,ou=policies,cn=ppolicy,dc=example,dc=com
objectClass: top
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 86400
pwdMinLength: 8
pwdExpireWarning: 86400
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinDelay: 300
pwdMaxDelay: 0
pwdGraceAuthNLimit: 0
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

This password policy will require passwords to have a minimum length of 8 characters, to expire after 86400 seconds (1 day), to not have been used in the past 3 passwords, to have at least 2 of the following character types: lowercase, uppercase, digits, special characters, and to have a minimum delay of 300 seconds between password changes. It also includes lockout rules for after 3 failed login attempts within a 0 second interval, locking out the user for 1800 seconds (30 minutes). Finally, it requires passwords to be changed immediately after being set and allows users to change their own passwords.

Firing Up the Server

After creating the ldap-init/password-policy.ldif file, you can proceed to start the LDAP server using docker-compose by running the following command in the same directory as the docker-compose.yml file:

docker-compose up -d

This will start the LDAP server in detached mode, meaning it will run in the background and you will be able to continue using the terminal. You can check the status of the LDAP server by running the following command:

docker-compose ps

This will show you a list of the containers managed by docker-compose and their current status. The LDAP server should be listed as "Up" if it is running successfully.

You can also check the logs for the LDAP server by running the following command:

docker-compose logs

This will show you the logs for all the containers managed by docker-compose. You can use this to troubleshoot any issues that may arise while starting the LDAP server.

Once the LDAP server is running, you can use an LDAP client to connect to it and start creating users and groups. Some common LDAP clients include ldapadd, ldapmodify, and ldapsearch. You can also use a graphical LDAP client like Apache Directory Studio to manage your LDAP server.

Read next

You can find me on Mastodon at @mojoology@mastodon.social.