OpenLDAP client inside a docker container

Question

I have a docker container running CentOS 6 with a non-root user and OpenLDAP. When I use getent passwd it just returns the data from /etc/passwd. The config file /etc/nsswitch.conf is customized accordingly (see below) and authconfig-gtk is used for configuration. Interestingly I am able to fetch all user information with

ldapsearch -x -b "dc=physik,dc=rwth-aachen,dc=de"

but it is not accessible or not used inside the docker container. Did I misconfigured or miss something?

Installed Packages:

openldap openldap-clients nss-pam-ldapd authconfig-gtk

/etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Maybe your `/etc/ldap.conf` (or `/etc/ldap/ldap.conf`, or `/etc/openldap/ldap.conf` ...) is misconfigured. — Janne Pikkarainen, Jul 12 '16 at 10:05
The files are identical with these on the host system, where everything is working fine. I am wondering why I still can fetch user information manually. — Bonzai, Jul 12 '16 at 10:24

score 3 · Answer 1 · answered Jul 13 '16 at 11:26

3

With nslcd -d I saw that the address was already taken by the host system. I fixed it by mounting the socket when executing docker run with

-v /var/run/nslcd/socket:/var/run/nslcd/socket

answered Jul 13 '16 at 11:26

Bonzai

151
1
6

Patrick Clemins · Answer 2 · 2021-12-09T21:09:12.337

I just spent the better part of this afternoon trying to run a service that seems to require root (nslcd) inside a container at startup while running the container as a non-root user (-u NON_ROOT_USER) as good security dictates. As you docker experts already knew, you can't do this because docker containers don't use the typical init.d process and so EVERYTHING (including CMD and ENTRYPOINT) is run as the specified container user.

Bonzai's own answer is an interesting workaround to this problem, but it should be noted that by doing this, you are using your host's nslcd daemon and not anything started within the container. I got this to work for me as well, without starting nslcd inside the container, but by simply configuring the container as if nslcd was started during init.d. I then run the container using docker run -u NON_ROOT_USER and "borrow" the nslcd daemon from the host.

Here's a snippet of the Dockerfile to answer Mark's question in the comments:

# Install ldap client and daemon (matching version with host)
RUN apt-get install -y libnss-ldapd=0.9.9-1 nslcd=0.9.9-1

# Use sed to edit ldap config files as desired (use host as example)
RUN \
  sed -i '/^passwd:/ s/$/ ldap/' /etc/nsswitch.conf && \
  sed -i '/^group:/ s/$/ ldap/' /etc/nsswitch.conf   
RUN \
  echo "BASE dc=domain,dc=more_domain" >> /etc/ldap/ldap.conf
RUN \
  sed -i 's~^uri.*~uri ldaps://ldap.server.domain/~' /etc/nslcd.conf && \
  sed -i 's~^#base.*~base dc=domain,dc=more_domain~' /etc/nslcd.conf && \
  sed -i 's~^#tls_reqcert~tls_reqcert~' /etc/nslcd.conf

I'll also note that since originally writing this, I've seen a few other examples of containers interfacing with host services (and then the outside world) via the file system instead of network ports.

I'm by no means an expert on this, so comments below on this discussion are welcome...

"by simply configuring the container as if nslcd was started during init.d"--can you add to the answer what configuration was required to get this to work? — Mark Rajcok, Dec 07 '21 at 18:27
@MarkRajcok Configuration notes / example added to original answer — Patrick Clemins, Dec 09 '21 at 21:10

OpenLDAP client inside a docker container

2 Answers2