OpenLDAP client inside a docker container

docker centos ldap openldap pam

With nslcd -d I saw that the address was already taken by the host system. I fixed it by mounting the socket when executing docker run with

-v /var/run/nslcd/socket:/var/run/nslcd/socket

I just spent the better part of this afternoon trying to run a service that seems to require root (nslcd) inside a container at startup while running the container as a non-root user (-u NON_ROOT_USER) as good security dictates. As you docker experts already knew, you can't do this because docker containers don't use the typical init.d process and so EVERYTHING (including CMD and ENTRYPOINT) is run as the specified container user.

Bonzai's own answer is an interesting workaround to this problem, but it should be noted that by doing this, you are using your host's nslcd daemon and not anything started within the container. I got this to work for me as well, without starting nslcd inside the container, but by simply configuring the container as if nslcd was started during init.d. I then run the container using docker run -u NON_ROOT_USER and "borrow" the nslcd daemon from the host.

Here's a snippet of the Dockerfile to answer Mark's question in the comments:

# Install ldap client and daemon (matching version with host)
RUN apt-get install -y libnss-ldapd=0.9.9-1 nslcd=0.9.9-1

# Use sed to edit ldap config files as desired (use host as example)
RUN \
  sed -i '/^passwd:/ s/$/ ldap/' /etc/nsswitch.conf && \
  sed -i '/^group:/ s/$/ ldap/' /etc/nsswitch.conf   
RUN \
  echo "BASE dc=domain,dc=more_domain" >> /etc/ldap/ldap.conf
RUN \
  sed -i 's~^uri.*~uri ldaps://ldap.server.domain/~' /etc/nslcd.conf && \
  sed -i 's~^#base.*~base dc=domain,dc=more_domain~' /etc/nslcd.conf && \
  sed -i 's~^#tls_reqcert~tls_reqcert~' /etc/nslcd.conf

I'll also note that since originally writing this, I've seen a few other examples of containers interfacing with host services (and then the outside world) via the file system instead of network ports.

I'm by no means an expert on this, so comments below on this discussion are welcome...

Related

How to create hyperlink to call phone number on mobile devices?
What is the Difference Between read() and recv() , and Between send() and write()?
Best way to run scheduled tasks [closed]
What actually causes a Stack Overflow error? [duplicate]
CSS hexadecimal RGBA?
Can you "compile" PHP code and upload a binary-ish file, which will just be run by the byte code interpreter?
Unable to create Android Virtual Device
What is "android.R.layout.simple_list_item_1"?
Difference between res.send and res.json in Express.js
My prerelease app has been "processing" for over a week in iTunes Connect, what gives?
What is the difference between a map and a dictionary?
(Deep) copying an array using jQuery [duplicate]