95 lines
2.5 KiB
Markdown
95 lines
2.5 KiB
Markdown
# OpenLDAP for MacOS Docker Block
|
|
|
|
This Docker block is an updated version from [OpenLDAP](../openldap/) block. This Docker block uses `osixia/openldap` image. The original Docker block was based of `debian:jessie` which is not available for Apple's ARM chip.
|
|
|
|
## Deployment
|
|
|
|
First build and deploy the `openldap` container.
|
|
|
|
```bash
|
|
make devenv sources=auth/openldap
|
|
```
|
|
|
|
### Exposed ports
|
|
|
|
The container will expose port `389` and `636`.
|
|
|
|
### Background services
|
|
|
|
The `osixia/openldap` container will update the database with any `*.ldif` file changes inside `./prepopulate` and the `./modules` folder. Remember to rebuild the `devenv` to apply any changes.
|
|
|
|
## Grafana configuration changes
|
|
|
|
The following changes are needed at Grafana's configuration file.
|
|
|
|
```ini
|
|
[auth.ldap]
|
|
enabled = true
|
|
config_file = conf/ldap.toml
|
|
```
|
|
|
|
The default configuration between Grafana and the OpenLDAP container is configured at [../../../../../conf/ldap.toml](../../../../../conf/ldap.toml).
|
|
|
|
## Available users and groups
|
|
|
|
- admins
|
|
- ldap-admin
|
|
- ldap-torkel
|
|
- backend
|
|
- ldap-carl
|
|
- ldap-torkel
|
|
- ldap-leo
|
|
- frontend
|
|
- ldap-torkel
|
|
- ldap-tobias
|
|
- ldap-daniel
|
|
- editors
|
|
- ldap-editors
|
|
- no groups
|
|
- ldap-viewer
|
|
|
|
## Groups & Users (POSIX)
|
|
|
|
- admins
|
|
- ldap-posix-admin
|
|
- no groups
|
|
- ldap-posix
|
|
|
|
## Configure LDAP with TLS
|
|
|
|
After the `openldap` container has been deployed, you have to copy the CA from the docker container:
|
|
```bash
|
|
# get the container ID
|
|
docker ps
|
|
|
|
docker cp CONTAINER-ID:"/container/service/:ssl-tools/assets/default-ca/default-ca.pem" devenv/docker/blocks/auth/openldap/certs
|
|
```
|
|
|
|
To configure TLS you need the following lines in the .toml file under the `[[servers]]` section:
|
|
|
|
```ini
|
|
tls_ciphers = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
|
|
min_tls_version = "TLS1.2"
|
|
ssl_skip_verify = true
|
|
root_ca_cert = "devenv/docker/blocks/auth/openldap/certs/default-ca.pem"
|
|
client_cert = "devenv/docker/blocks/auth/openldap/certs/ldap.crt"
|
|
client_key = "devenv/docker/blocks/auth/openldap/certs/ldap.key"
|
|
```
|
|
|
|
For simplicity, the same private key is shared between the server and the client. To generate your own private keys and certificates please follow this guide: https://enlook.wordpress.com/2015/09/30/howto-generate-certificate-for-openldap-and-using-it-for-certificate-authentication/.
|
|
|
|
- To connect over LDAPS include this config:
|
|
|
|
```ini
|
|
port = 636
|
|
use_ssl = true
|
|
start_tls = false
|
|
```
|
|
- To connect with STARTTLS use this config:
|
|
|
|
```ini
|
|
port = 389
|
|
use_ssl = true
|
|
start_tls = true
|
|
```
|