fsfe-system-hackers/stunnel
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
This repository has been archived on 2022-02-25. You can view files and clone it, but cannot push or open issues or pull requests.
5 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
max.mehl cb559e521a
fix ldap address
2022-01-20 21:56:45 +01:00
LICENSES
initial commit
2020-06-02 17:14:40 +02:00
conf-stunnel.sh
initial commit
2020-06-02 17:14:40 +02:00
docker-compose.yml
initial commit
2020-06-02 17:14:40 +02:00
Dockerfile
initial commit
2020-06-02 17:14:40 +02:00
README.md
use version instead of latest
2020-06-03 16:20:22 +02:00
stunnel.conf
fix ldap address
2022-01-20 21:56:45 +01:00

README.md

FSFE stunnel for LDAP

This Docker image is being used to allow containers to securely access the FSFE LDAP server via an encrypted connection via client certificates.

Preparations

First of all, create a new LDAP client key and certificate for your service against the FSFE's CA.

On the Docker host(s), store the required files. The default values are next to the items:

  • a template for the stunnel config: /srv/ldap/stunnel/stunnel.conf
  • the CA certificate of the LDAP server: /srv/ldap/keys/ca/ca.crt
  • the LDAP client key and certificate: /srv/ldap/keys/servicename/client.crt, /srv/ldap/keys/servicename/client.key

Integration into Docker service

To allow your container to connect to LDAP, follow these steps:

1. Add to docker compose file

In your docker-compose.yml, add the stunnel image as a service. Please rename servicename accordingly:

  servicename-ldap:
    container_name: servicename-ldap
    image: fsfe/stunnel:1
    restart: always
    expose:
      - "389"
    volumes:
      - "/srv/ldap/stunnel:/tmp/stunnel/:ro"
      - "/srv/ldap/keys/ca:/etc/ssl/private/ldap/ca:ro"
      - "/srv/ldap/keys/servicename:/etc/ssl/private/ldap/keys:ro"

2. Add to webserver config

In your webserver config, add the LDAP authentication. For Apache, this may look like the following:

<Directory /var/www/html/>
  AuthType Basic
  AuthName "Access permissions required"
  AuthBasicProvider ldap
  AuthLDAPBindDN uid=groupsreader,ou=fellowship,dc=fsfe,dc=org
  AuthLDAPBindPassword LDAP_BIND_PW
  AuthLDAPUrl ldap://servicename-ldap:389/ou=fellowship,dc=fsfe,dc=org?uid?sub?(!(uid=*@*))
  Require ldap-group cn=team, ou=groups, dc=fsfe, dc=org
</Directory>

Again, make sure to replace servicename with the actual name of the container. Also, do not use any encryption for LDAP inside the service, stunnel takes care of that. Please be aware that providing a password is still required in our setup.

3. Activate webserver modules

Depending on your webserver, you might have to enable LDAP modules. It's best to do that in your Dockerfile.

  • Apache: RUN a2enmod ldap authnz_ldap
Description
stunnel Docker image to be used for all Docker container using LDAP
docker
Readme 42 KiB
Languages
Dockerfile 50.6%
Shell 49.4%