docker 容器化搭建 OpenLDAP
一键启动企业用户目录环境。
目标
利用 docker 快速搭建一套企业用户目录,包含 OpenLDAP、PhpLdapAdmin
知识储备
- docker
- docker-compose
- LDAP
快速开始
编写 docker-compose.yaml
version: '2'
services:
ldap-openldap:
container_name: ldap-openldap
image: dinkel/openldap # 如果拉取速度很慢,可以换成 registry.cn-hangzhou.aliyuncs.com/bxwill/openldap
restart: always
ports:
- "389:389"
environment:
- SLAPD_PASSWORD=opendevops # 自定义 admin 的密码
- SLAPD_DOMAIN=qualitysphere.github.io # 自定义 LDAP 的域名,admin 账号即 cn=admin,dc=qualitysphere,dc=github,dc=io
volumes:
- ./ldap/db:/var/lib/ldap
- ./ldap/config:/etc/ldap
ldap-phpldapadmin:
container_name: ldap-phpldapadmin
image: dinkel/phpldapadmin # 如果拉取速度很慢,可以换成 registry.cn-hangzhou.aliyuncs.com/bxwill/phpldapadmin
restart: always
ports:
- "8080:80"
environment:
- LDAP_SERVER_HOST=ldap-openldap # 使用 compose 启动容器,可以直接使用服务名
启动容器
docker-compose -f docker-compose.yaml up -d
该命令会自动拉取镜像,然后运行容器在后台。
Creating network "ldap_default" with the default driver
Pulling ldap-openldap (registry.cn-hangzhou.aliyuncs.com/bxwill/openldap:)...
latest: Pulling from bxwill/openldap
3e731ddb7fc9: Pull complete
13c25f64fb95: Pull complete
ea04acf4d1c7: Pull complete
698e147b1a14: Pull complete
785315087f01: Pull complete
Digest: sha256:eab96e00fb6c61bc62b31d4be3374bd7135d2d28f8258444bb54f2ec33bc171d
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/bxwill/openldap:latest
Pulling ldap-phpldapadmin (registry.cn-hangzhou.aliyuncs.com/bxwill/phpldapadmin:)...
latest: Pulling from bxwill/phpldapadmin
2bb30e6532d8: Pull complete
4f4fb700ef54: Pull complete
356a56dc0f33: Pull complete
7297012dc270: Pull complete
e50d050ecbcb: Pull complete
1d90d6cb6813: Pull complete
4b4db6a38010: Pull complete
a19943242af0: Pull complete
70fe1e7e8823: Pull complete
65ea61459158: Pull complete
193cb54f7ff2: Pull complete
f66701481e0d: Pull complete
af6fb5a4e30d: Pull complete
b00e580e6cd0: Pull complete
b38050511c0b: Pull complete
Digest: sha256:eb3a89ebd1b9a6b1f7db7b416b0d5a97fed9b1d23c09dd8b31893bb7ec342a49
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/bxwill/phpldapadmin:latest
Creating ldap-openldap ... done
Creating ldap-phpldapadmin ... done
检查服务
docker-compose -f docker-compose.yaml ps
状态都为 Up 即说明容器运行正常:
Name Command State Ports
----------------------------------------------------------------------------------
ldap-openldap /entrypoint.sh slapd -d 32 ... Up 0.0.0.0:389->389/tcp
ldap-phpldapadmin /bootstrap.sh /run.sh Up 0.0.0.0:8080->80/tcp
登录 LDAP
在浏览器中输入主机 IP 加 8080 端口,可以访问到如下界面:
通过自定义的 admin 账号和密码登录 OpenLDAP:
点击左侧栏的 Create new entry here
进入模板列表:
选择一个模板填入信息即可创建:
自定义用户模板
在实际工作中,模板其实不需要这么多,通常会定制一个适合自己场景的模板。
比如定制一个更轻量的用户账号模板:
该模板采用 xml 编写,上图的模板 xml 如下:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<askcontainer>1</askcontainer>
<description>Open DevOps Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>cn</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>OpenDevOps: Account</title>
<visible>1</visible>
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Common Name</display>
<icon>ldap-uid.png</icon>
<order>1</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sn">
<display>Last name</display>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="uid">
<display>User Name</display>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="mail">
<display>Email</display>
<icon>mail.png</icon>
<value>@qualitysphere.github.io</value>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="displayName">
<display>Display Name</display>
<order>5</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="mobile">
<display>Mobile</display>
<icon>phone.png</icon>
<order>6</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="userPassword">
<display>Password</display>
<default>opendevops</default>
<order>7</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
</attributes>
</template>
将其放入 PhpLdapAdmin 模板目录:
docker cp ldap/templates/myTemplate.xml ldap-phpldapadmin:/etc/phpldapadmin/templates/creation/
再次刷新模板列表页面即可看到它被加载:
或者直接挂载模板目录,使得模板列表中只显示自定义的模板,页面更简洁,修改 docker-compose.yaml 中的最后两行,添加定义 ldap-phpldapadmin 的挂载目录:
version: '2'
services:
ldap-openldap:
container_name: ldap-openldap
image: dinkel/openldap # 如果拉取速度很慢,可以换成 registry.cn-hangzhou.aliyuncs.com/bxwill/openldap
restart: always
ports:
- "389:389"
environment:
- SLAPD_PASSWORD=opendevops # 自定义 admin 的密码
- SLAPD_DOMAIN=qualitysphere.github.io # 自定义 LDAP 的域名,admin 账号即 cn=admin,dc=qualitysphere,dc=github,dc=io
volumes:
- ./ldap/db:/var/lib/ldap
- ./ldap/config:/etc/ldap
ldap-phpldapadmin:
container_name: ldap-phpldapadmin
image: dinkel/phpldapadmin # 如果拉取速度很慢,可以换成 registry.cn-hangzhou.aliyuncs.com/bxwill/phpldapadmin
restart: always
ports:
- "8080:80"
environment:
- LDAP_SERVER_HOST=ldap-openldap # 使用 compose 启动容器,可以直接使用服务名
volumes:
- ./ldap/templates:/etc/phpldapadmin/templates/creation/ # 挂载自定义模板目录
重新运行 docker-compose 命令:
docker-compose -f docker-compose.yaml up -d
ldap-phpldapadmin 容器会自动重新创建:
ldap-openldap is up-to-date
Recreating ldap-phpldapadmin ... done
再次访问 PhpLdapAdmin 页面,需要重新登录,登录后点击创建链接进如模板列表页面,只会看到自己定义的模板: