Skip to content

OpenDJ

Overview#

Docker image packaging for OpenDJ.

Version#

Latest stable version for Gluu Server Docker Edition v3.1.5 is gluufederation/opendj:3.1.5_03.

Environment Variables#

The following environment variables are supported by the container:

  • GLUU_CONFIG_ADAPTER: The config backend adapter, can be consul (default) or kubernetes.
  • GLUU_CONFIG_CONSUL_HOST: hostname or IP of Consul (default to localhost).
  • GLUU_CONFIG_CONSUL_PORT: port of Consul (default to 8500).
  • GLUU_CONFIG_CONSUL_CONSISTENCY: Consul consistency mode (choose one of default, consistent, or stale). Default to stale mode.
  • GLUU_CONFIG_CONSUL_SCHEME: supported Consul scheme (http or https).
  • GLUU_CONFIG_CONSUL_VERIFY: whether to verify cert or not (default to false).
  • GLUU_CONFIG_CONSUL_CACERT_FILE: path to Consul CA cert file (default to /etc/certs/consul_ca.crt). This file will be used if it exists and GLUU_CONFIG_CONSUL_VERIFY set to true.
  • GLUU_CONFIG_CONSUL_CERT_FILE: path to Consul cert file (default to /etc/certs/consul_client.crt).
  • GLUU_CONFIG_CONSUL_KEY_FILE: path to Consul key file (default to /etc/certs/consul_client.key).
  • GLUU_CONFIG_CONSUL_TOKEN_FILE: path to file contains ACL token (default to /etc/certs/consul_token).
  • GLUU_CONFIG_KUBERNETES_NAMESPACE: Kubernetes namespace (default to default).
  • GLUU_CONFIG_KUBERNETES_CONFIGMAP: Kubernetes configmaps name (default to gluu).
  • GLUU_CONFIG_KUBERNETES_USE_KUBE_CONFIG: Load credentials from $HOME/.kube/config, only useful for non-container environment (default to false).
  • GLUU_SECRET_ADAPTER: The secrets adapter, can be vault or kubernetes.
  • GLUU_SECRET_VAULT_SCHEME: supported Vault scheme (http or https).
  • GLUU_SECRET_VAULT_HOST: hostname or IP of Vault (default to localhost).
  • GLUU_SECRET_VAULT_PORT: port of Vault (default to 8200).
  • GLUU_SECRET_VAULT_VERIFY: whether to verify cert or not (default to false).
  • GLUU_SECRET_VAULT_ROLE_ID_FILE: path to file contains Vault AppRole role ID (default to /etc/certs/vault_role_id).
  • GLUU_SECRET_VAULT_SECRET_ID_FILE: path to file contains Vault AppRole secret ID (default to /etc/certs/vault_secret_id).
  • GLUU_SECRET_VAULT_CERT_FILE: path to Vault cert file (default to /etc/certs/vault_client.crt).
  • GLUU_SECRET_VAULT_KEY_FILE: path to Vault key file (default to /etc/certs/vault_client.key).
  • GLUU_SECRET_VAULT_CACERT_FILE: path to Vault CA cert file (default to /etc/certs/vault_ca.crt). This file will be used if it exists and GLUU_SECRET_VAULT_VERIFY set to true.
  • GLUU_SECRET_KUBERNETES_NAMESPACE: Kubernetes namespace (default to default).
  • GLUU_SECRET_KUBERNETES_CONFIGMAP: Kubernetes secrets name (default to gluu).
  • GLUU_SECRET_KUBERNETES_USE_KUBE_CONFIG: Load credentials from $HOME/.kube/config, only useful for non-container environment (default to false).
  • GLUU_WAIT_MAX_TIME: How long the startup "health checks" should run (default to 300 seconds).
  • GLUU_WAIT_SLEEP_DURATION: Delay between startup "health checks" (default to 5 seconds).
  • GLUU_LDAP_INIT: whether to import initial LDAP entries (possible values are true or false).
  • GLUU_LDAP_INIT_HOST: LDAP hostname for initial configuration (only usable when GLUU_LDAP_INIT set to true).
  • GLUU_LDAP_INIT_PORT: LDAP port for initial configuration (only usable when GLUU_LDAP_INIT set to true).
  • GLUU_CACHE_TYPE: supported values are IN_MEMORY, REDIS, MEMCACHED, and NATIVE_PERSISTENCE (default is NATIVE_PERSISTENCE)
  • GLUU_REDIS_URL: URL of redis service, format is host:port (optional).
  • GLUU_REDIS_TYPE: redis service type, either STANDALONE or CLUSTER (optional).
  • GLUU_LDAP_ADDR_INTERFACE: interface name where the IP will be guessed and registered as OpenDJ host, e.g. eth0 (will be ignored if GLUU_LDAP_ADVERTISE_ADDR is used).
  • GLUU_LDAP_ADVERTISE_ADDR: the hostname/IP address used as the host of OpenDJ server.
  • GLUU_CERT_ALT_NAME: an additional DNS name set as Subject Alt Name in cert. If the value is not an empty string and doesn't match existing Subject Alt Name (or doesn't exist) in existing cert, then new cert will be regenerated and overwrite the one that saved in config backend. This environment variable is required only if oxShibboleth is deployed, to address issue with mismatched CN and destination hostname while trying to connect to OpenDJ. Note, any existing containers that connect to OpenDJ must be re-deployed to download new cert.
  • GLUU_OXTRUST_CONFIG_GENERATION: whether to generate oxShibboleth configuration or not (default to false).

Unsupported environment variables from previous versions (see GLUU_CONFIG_CONSUL_* or GLUU_CONFIG_KUBERNETES_* for replacement as seen below):

Old Environment Variable New Environment Variable
GLUU_CONSUL_HOST GLUU_CONFIG_CONSUL_HOST
GLUU_CONSUL_PORT GLUU_CONFIG_CONSUL_PORT
GLUU_CONSUL_CONSISTENCY GLUU_CONFIG_CONSUL_CONSISTENCY
GLUU_CONSUL_SCHEME GLUU_CONFIG_CONSUL_SCHEME
GLUU_CONSUL_VERIFY GLUU_CONFIG_CONSUL_VERIFY
GLUU_CONSUL_CACERT_FILE GLUU_CONFIG_CONSUL_CACERT_FILE
GLUU_CONSUL_CERT_FILE GLUU_CONFIG_CONSUL_CERT_FILE
GLUU_CONSUL_KEY_FILE GLUU_CONFIG_CONSUL_KEY_FILE
GLUU_CONSUL_TOKEN_FILE GLUU_CONFIG_CONSUL_TOKEN_FILE
GLUU_KUBERNETES_NAMESPACE GLUU_CONFIG_KUBERNETES_NAMESPACE
GLUU_KUBERNETES_CONFIGMAP GLUU_CONFIG_KUBERNETES_CONFIGMAP

Initializing LDAP Data#

To generate initial data (entries) for LDAP, the container must run using GLUU_LDAP_INIT=true and pass along the GLUU_LDAP_INIT_HOST=service_or_container_name and GLUU_LDAP_INIT_PORT=1636 environment variables. For example:

# docker-compose.yaml
services:
  ldap:
    image: gluufederation/opendj:3.1.5_02
    environment:
      - GLUU_CONFIG_ADAPTER=consul
      - GLUU_SECRET_ADAPTER=vault
      - GLUU_LDAP_INIT=true
      - GLUU_LDAP_INIT_HOST=ldap
      - GLUU_LDAP_INIT_PORT=1636
    container_name: ldap

It's important to not scale this service/container, otherwise the data will be overlapped. See the next section for additional OpenDJ containers.

LDAP Replication#

Since there should be a single OpenDJ to generate initial data, the other OpenDJ containers must replicate the data from the existing OpenDJ container. For example:

# docker-compose-repl.yaml
services:
  ldap2:
    image: gluufederation/opendj:3.1.5_02
    environment:
      - GLUU_CONFIG_ADAPTER=consul
      - GLUU_SECRET_ADAPTER=vault
      - GLUU_LDAP_INIT=false
    container_name: ldap2

The replication process is automatically run when the container runs. Check the container logs to see the result and optionally run /opt/opendj/bin/dsreplication status inside the container.