Dockerized 389ds with TLS

389 Directory Server(389ds) is an enterprise-class Open Source LDAP server for Linux.

This image provides a dockerized 389ds with TLS authentication support, data persistence support through volumes and easy management of server certificates.

The best way to use the image is with docker-compose by adapting the sample 'docker-compose.yml' file.

ldap:
  image: 389ds:latest
  hostname: ldap.example.com
  volumes:
    - ./data:/var/lib/dirsrv:Z
    - ./config:/etc/dirsrv:Z
    - ./logs:/var/log/dirsrv:Z
    - ./certs:/certs:Z
  environment:
    DIR_SUFFIX: dc=example,dc=lan
    DIR_ADMIN_USERNAME: "myadmin"
    DIR_MANAGER_PASSWORD: "Admin123"
    DIR_ADMIN_UID: "15000"
    DIR_USERS_HOME: "/users"
  ports:
    - 389:389
    - 636:636
  restart: always

Then run the service with

docker-compose up

You can customize how the 389ds instance will be created through environment variables. DIR_HOSTNAME: The hostname to use for the directory server by default this will be the fully qualified container hostname provided in docker-compose.yml or the hostname provided through the --hostname from docker run. A fully qualified hostname is required

DIR_ADMIN_USERNAME: The username of the default admin account to be created in LDAP, will be bladmin if not specified

DIR_ADMIN_PASSWORD: The password for the default admin account password, will be same as DIR_MANAGER_PASSWORD or Admin123 if neither is specified

DIR_ADMIN_UID: The admin account uid

DIR_MANAGER_PASSWORD: The password for the Directory Manager, will be same as DIR_ADMIN_PASSWORD or Admin123 if neither is specified

DIR_SUFFIX: The base DN of the directory instance (eg. "dc=example,dc=com"} default will be "dc=example,dc=com" if not specified

DIR_USERS_HOME: The top level directory where user accounts should be created. Default is "/home"

DIR_USERS_SHELL: The shell for user accounts.Default is "/bin/bash"

To preserve configuration and data between restarts and recreating the container, the following volumes should be mounted

/etc/dirsrv:  location where instance configuration data is stored. Must be empty initially  
/var/lib/dirsrv:  database storage location. Must be empty initially  
/var/log/dirsrv:  location where logs will be stored. Must be empty initially  
/certs:  Certificate import directory. The image expects to find the following files in this directory

    server.key - X509 Private Key file in PEM format (mandatory)  
    server.crt - X509 Certificate file in PEM format (mandatory)  
    ca.pem - Public key of the Certificate Authority who signed the server certificate in PEM format (optional). 
    
    For TLS, Make sure ca.pem is recognized by the client  
    To update certificate and key files just replace those with new ones and restart the container.  

ldapsearch -x -ZZ -h localhost -D "cn=Directory Manager" -b "dc=example,dc=com" -W