OpenLDAP client inside a docker container

With nslcd -d I saw that the address was already taken by the host system. I fixed it by mounting the socket when executing docker run with

-v /var/run/nslcd/socket:/var/run/nslcd/socket

I just spent the better part of this afternoon trying to run a service that seems to require root (nslcd) inside a container at startup while running the container as a non-root user (-u NON_ROOT_USER) as good security dictates. As you docker experts already knew, you can't do this because docker containers don't use the typical init.d process and so EVERYTHING (including CMD and ENTRYPOINT) is run as the specified container user.

Bonzai's own answer is an interesting workaround to this problem, but it should be noted that by doing this, you are using your host's nslcd daemon and not anything started within the container. I got this to work for me as well, without starting nslcd inside the container, but by simply configuring the container as if nslcd was started during init.d. I then run the container using docker run -u NON_ROOT_USER and "borrow" the nslcd daemon from the host.

Here's a snippet of the Dockerfile to answer Mark's question in the comments:

# Install ldap client and daemon (matching version with host)
RUN apt-get install -y libnss-ldapd=0.9.9-1 nslcd=0.9.9-1

# Use sed to edit ldap config files as desired (use host as example)
RUN \
  sed -i '/^passwd:/ s/$/ ldap/' /etc/nsswitch.conf && \
  sed -i '/^group:/ s/$/ ldap/' /etc/nsswitch.conf   
RUN \
  echo "BASE dc=domain,dc=more_domain" >> /etc/ldap/ldap.conf
RUN \
  sed -i 's~^uri.*~uri ldaps://ldap.server.domain/~' /etc/nslcd.conf && \
  sed -i 's~^#base.*~base dc=domain,dc=more_domain~' /etc/nslcd.conf && \
  sed -i 's~^#tls_reqcert~tls_reqcert~' /etc/nslcd.conf

I'll also note that since originally writing this, I've seen a few other examples of containers interfacing with host services (and then the outside world) via the file system instead of network ports.

I'm by no means an expert on this, so comments below on this discussion are welcome...