Advanced Use of Dockerized Openldap Server and alternatives to secure and improve your Openldap Server
With different Dockers Containers we gonna construct some examples around LDAP SERVER container.
Let's assume you all have some idea about LDAP, theorical or practical.
In this project we are going to study different examples based on the Openldap service through docker container. In particular, I have chosen 4 examples in which we can see technologies that although very different, can be used to improve our ldap server.
In this model, we will perform a GSSAPI Authentication using the Openldap client utilities. For this we will use a total of 3 Docker Containers. All communication between the client and the LDAP SERVER is encrypted using the TLS protocol, using port 389, the default for unencrypted communications, but thanks to StartTLS, we can use it for secure communications
Docker Images used for this example:
- Ldap StartTLS + GSSAPI Keytab DockerHub GitHub
- Kerberos DockerHub Github
- Client for try some consults to Database DockerHub Github
For more information about this model...
In this model, we will see how an LDAP Server works as Producer so that other LDAP servers can replicate and act as Consumer.
We will have the Consumer communicate with the Producer through simple authentication.
On the other hand we will make another Consumer do the same but through SASL GSSAPI authentication.
Finally we will verify that the Client can perform searches in both servers, and we will make modifications in the database of the Producer and we will verify if it is really producing a correct replication.
Docker Images used for this example:
- Ldap StartTLS Producer + GSSAPI Keytab DockerHub GitHub
- Kerberos DockerHub Github
- Client for try some consults to Database DockerHub Github
- Ldap StartTLS Consumer with Simple Authentication DockerHub GitHub
- Ldap StartTLS Consumer with SASL GSSAPI Authentication DockerHub GitHub
For more information about this model...
In this model, starting from example one, we will see how to make a more secure authentication in the system using the best of Kerberos and Ldap technologies.
For this example, in the Client we will see how the System-Auth works with these two technologies, and we will perform a series of checks to make sure it works correctly.
Docker Images used for this example:
- Ldap StartTLS + GSSAPI Keytab DockerHub GitHub
- Kerberos DockerHub Github
- Client PAM + ldapwhoami DockerHub Github
For more information about this model...
Finally, in this model, we will see in a Zabbix server how to have monitored by graphs, all the operations that are done in our LDAP Server and all connections to it.
Docker Images used for this example:
- Ldap StartTLS with Crond Python Script DockerHub Github
- Kerberos DockerHub Github
- Client for do some searchs and see the graphs DockerHub Github
- Zabbix with Openldap Custom Template DockerHub Github
For more information about this model...
So we have the next Dockers Images , each with differents configurations:
- Docker LDAP
- Docker Kerberos
- Docker Client (Simulating a School Client)
- Docker LDAP Replica
- Docker Apache + Mysql + Zabbix
Note : Each Docker Container have their own work. Also , when i was preparating my project , i decided to use a most secure auth than the simple one of LDAP , so i decided to implement GSSAPI , the best one for this environment , but u have another options. See (Auth Types) for more information
- Openldap
- Object Class used:
- To Retrieve Users.
- To Retrieve Grups.
- To Retrieve Hosts.
- AuthTypes Working:
- StartTLS Security Transport Layer
- Replication Consumer LDAP with StartTLS Communication And SASL GSSAPI.
- Object Class used:
- Docker
- Openssl To create Own Certificates for each service that need it
- Supervisord
- Nslcd
- Kerberos
- PAM
- Zabbix Agentd y Zabbix Server
- Crond
- All the entries used in Ldap Database has been created on the M06 Subject in Escola del Treball School