Skip to content

Latest commit

 

History

History

base

README.md

yadd/lemonldap-ng-base

Base image for yadd/lemonldap-ng-* dockers. Does nothing except configuring LemonLDAP::NG.

Tags

  • stable: latest lemonldap-ng* packages from Debian backports
  • stable-no-s6: the same without S6-overlay
  • 2.x.x: versioned lemonldap-ng* packages from Debian backports
  • 2.x.x-no-s6: the same without S6-overlay

Features

  • Always use "Overlay" configuration backend. See Override configuration parameters
  • Update current configuration using given variables :
    • set domain (SSODOMAIN)
    • set portal (PORTAL)
    • set log level (LOGLEVEL)
    • if REDIS_SERVER is set, change globalStorage to Apache::Session::Browseable::Redis and configure it (indexes given by REDIS_INDEXES, default: "uid mail")
  • Upload local configuration into PostgreSQL database if:
    • PG_SERVER is given AND
    • PostgreSQL table is empty
  • Initialize LLNG configuration key to a random value if not already initialized or if FORCE_KEY_REGENERATION is set to yes

It is generaly a good idea to set this value to yes

Variables and default values

  • SSODOMAIN = example.com
  • CROWDSEC_SERVER = (full base url, example: http://myserver:8080)
  • CROWDSEC_POLICY = reject (possible values: warn, reject)
  • CROWDSEC_KEY = (required, given by cscli bouncers add mylemon)
  • CROWDSEC_IGNORE_FAILURES = (possible values: 1)
  • FORWARDED_BY = (set here the IP address of reverse proxy if any)
  • PORTAL = http://auth.example.com/ (full URL needed here)
  • LISTEN = (set :PORTNUMBER here if you want to access directly to FastCGI server)
  • LOGLEVEL = info (possible values: debug, info, notice, warn, error)
  • LOGGER = syslog (possible values: stderr, syslog)
  • USERLOGGER = syslog (possible values: stderr, syslog)
  • FORCE_KEY_REGENERATION = no
  • LANGUAGES = default LLNG list (set here the wanted languages separated by comma. Example: fr,en)
  • Configuration and persistent session storage
    • PG_SERVER =
    • PG_DATABASE = lemonldapng
    • PG_USER = lemonldap
    • PG_PASSWORD = lemonldap
    • PG_TABLE = lmConfig
    • PG_OPTIONS =
    • Advanced (see DBI(3pm) for more)
      • DBI_CHAIN = if $PG_SERVER then DBI:Pg:database=$PG_DATABASE;host=$PG_SERVER;$PG_OPTIONS else ""
      • DBI_USER = $PG_USER
      • DBI_PASSWORD = $PG_PASSWORD
  • Session storage:
    • REDIS_SERVER =
    • REDIS_INDEXES = _whatToTrace _session_kind _utime ipAddr _httpSessionType _user (see Apache::Session::Browseable::Redis)
    • Used only if REDIS_SERVER is empty and configuration database is empty:
      • PG_PERSISTENT_SESSIONS_TABLE = psessions
      • PG_SESSIONS_TABLE = sessions
      • PG_SAML_TABLE = samlsessions
      • PG_OIDC_TABLE = oidcsessions
      • PG_CAS_TABLE = cassessions
  • Session purge tasks:
    • HANDLER_CRON = yes
    • PORTAL_CRON = yes

LemonLDAP::NG logs: when using default values (syslog), logs are stored in /var/log/syslogd/ (default S6 behavior)

Advanced PostgreSQL configuration

Use PG_OPTIONS to set additional parameters. Examples:

  • Change default port: PG_OPTIONS=port=23456
  • Change SSL mode: PG_OPTIONS=sslmode=require
  • Both: PG_OPTIONS=port=23456;PG_OPTIONS=sslmode=require

Or use DBI_CHAIN directly (and then DBI_USER and DBI_PASSWORD):

DBI_CHAIN=dbi:Pg:dbname=lemonldapng;host=postgresql.host.tld;port=23456;sslmode=require
DBI_USER=pguser
DBI_PASSWORD=pgpassword

Override configuration parameters

You can easily override any Lemonldap::NG configuration parameter using the overlay system (starting from 2.19.0-1 tag). Simply push files into /over directory:

  • filename is the configuration parameter name
  • content is the raw content or a JSON content

You can also easily override any Lemonldap::NG configuration parameter using a environment variable set to OVERRIDE_<parameter name>. For example, to set checkXSSto 0 and exportedVars to {"Name":"cn"} in a docker-compose.yml file, use:

  environment:
    - OVERRIDE_checkXSS=0
    - OVERRIDE_exportedVars={"Name":"cn"}

Note that JSON notation is supported only for objects and arrays.

To modify subkeys, use "_" separator. For example to set the subkey "uid" of key "ldapExportedVars" to "cn", use:

  environment:
    - OVERRIDE_ldapExportedVars_uid=cn

Note that the container key (here ldapExportedVars) must exist.

Docker-compose example

Example with yadd/lemonldap-ng-portal and crowdesc enabled

version: "3.4"

services:
  pgdb:
    image: yadd/lemonldap-ng-pg-database
    environment:
      - POSTGRES_PASSWORD=zz
    healthcheck:
      test: ["CMD-SHELL", "pg_isready"]
      interval: 10s
      timeout: 5s
      retries: 5
  redis:
    image: redis
  base:
    image: yadd/lemonldap-ng-portal
    environment:
      - PG_SERVER=pgdb
      - REDIS_SERVER=redis:6379
      - LOGGER=stderr
      - USERLOGGER=stderr
      - OVERRIDE_exportedVars={"cn":"cn","mail":"mail","uid":"uid"}
      - CROWDSEC_SERVER=http://crowdsec:8080
      - CROWDSEC_KEY=myrandomstring
      - CROWDSEC_ACTION=reject
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_started
  crowdsec:
    image: crowdsecurity/crowdsec
    environment:
      - BOUNCER_KEY_llng=myrandomstring

Repository and bug reports

Copyright and license

Copyright:

License: GNU General Public License v2.0