Installed with official stable/openldap helm chart and official osixia/openldap image v1.4.0.
OpenLDAP used as centrilazed auth source for Nextcloud, Mail, Gitea, etc.
You must never publish you OpenLDAP on Internet.
Edit all/all.yaml
## OpenLDAP ##
openldap_enabled: true
#openldap_size: "10Gi"
#openldap_storage: "nfs-ssd"
openldap_loadbalancer_ip: "192.168.250.2"
openldap_domain: "dc=example,dc=com"
openldap_custom_users:
- { name: myuser1 }
- { name: myuser2 }
openldap_simple_users:
- { name: testuser1, sn: 6001, uid: 6001, gid: 6001 }
- { name: testuser2, sn: 6002, uid: 6002, gid: 6002 }
Edit k8s/openldap.yaml
openldap_values:
customLdifFiles:
04-custom-users.ldif: |-
dn: uid=myuser1,ou=users,{{ openldap_domain }}
changetype: add
uid: myuser1
cn: myuser1
sn: 5001
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/myuser1
uidNumber: 5001
gidNumber: 5001
userPassword: {{ myuser1_pbkdf2_sha512_hash }}
mail: myuser1@{{ domain }}
mail: myuser1_second_mail@{{ domain }}
gecos: myuser1 description
dn: uid=myuser2,ou=users,{{ openldap_domain }}
changetype: add
uid: myuser2
cn: myuser2
sn: 5002
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/myuser2
uidNumber: 5002
gidNumber: 5002
userPassword: {{ myuser2_pbkdf2_sha512_hash }}
mail: myuser2@{{ domain }}
mail: myuser2_second_mail@{{ domain }}
gecos: myuser2 description
05-autogen-simple-users.ldif: |-
{% for user in openldap_simple_users %}
dn: uid={{ user.name }},ou=users,{{ openldap_domain }}
changetype: add
uid: {{ user.name }}
cn: {{ user.name }}
sn: {{ user.sn }}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/{{ user.name }}
uidNumber: {{ user.uid }}
gidNumber: {{ user.gid }}
userPassword: {{ hostvars[inventory_hostname][user.name + '_pbkdf2_sha512_hash'] | default('nopass') }}
mail: {{ user.name }}@{{ domain }}
gecos: {{ user.name }} user
{% endfor %}
ansible-playbook -i inventory/ghp/${ENV} playbooks/ghp/site.yaml --tags=openldap
# pbkdf2 password hash generating
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2-SHA512} -s supersecret
# Check loaded modules
slapcat -n 0 | grep olcModuleLoad
# Check connection, search and memberOf
ldapsearch -D 'cn=admin,dc=example,dc=com' -b 'dc=example,dc=com' -x -H ldap://"${LDAP_HOSTNAME}":389 -W '(uid=*)' memberOf
# Check TLS
ldapsearch -xLLLWD cn=admin,dc=example,dc=com -b dc=example,dc=com -s base -H ldaps://${LDAP_HOSTNAME}:636
ldapsearch -QLLLY EXTERNAL -H ldapi:/// -b cn=config -s base | grep -i tls
Web-admin for OpenLDAP
docker run -p 6443:443 --env PHPLDAPADMIN_LDAP_HOSTS=${LDAP_HOSTNAME} --detach osixia/phpldapadmin:0.9.0
After docker container started LDAP admin will be available on https://localhost:6443