The instructions suggest how to change the default admin from cn=admin,dc=example,dc=org, but it’s not clear if changing this to my domain (eg, cn=admin,dc=mydomain,dc=org) will also change the ldap domain name.
Also, if I wanted the ldap server to listen at a different IP address (not public facing, but at the end of a tinc tunnel), where would I set this ?
I have cloned the repo as instructed, so I think I am on version 2.0.0 of sync-endpoint-default-setup
On changing the username,
I’m not sure what you mean by “ldap domain name”.
But changing dc=example,dc=org to dc=foo,dc=bar will not change where your LDAP (OpenLDAP instance) is hosted.
On accessing the LDAP server,
Do you mean accessing the LDAP server (OpenLDAP) or the phpLDAPAdmin server?
For the phpLDAPAdmin server,
Just make sure that there exists a route between the Swarm ingress network and your tinc tun/tap device. If your tinc server is configured properly, this should just work. Though, I don’t have much experience with tinc.
For the LDAP server,
By default this server is only accessible from within its own overlay network. To change this, in your docker-compose.yml file locate the section called ldap-service and in that section add
Similarly, make sure that there is a route between the Swarm ingress network and your tinc tun/tap device. Then your LDAP server will be available at port 389.
See the Docker Compose Reference for more options on exposing ports.
I didn’t want to end up with an ldap domain name of ‘example.org’ … I finally figured that the openldap/bootstrap.ldif looks up the details in ldap.env and creates the domain configured there.
ldap.env also allows us to define the admin user and password. So, I am sorted on that front.
I meant phpLDAPAdmin and I am still struggling to get connectivity to both nginx and phpLDAPAdmin … and most of my hassles relate to being able to force them to specific IP addresses (because I have several IP addresses on the host system, and some of them already have their ports 80 and 443 used) …
I can see the overlay network and the IP addresses via docker network …
How to force nginx to listen on the swarm node’s IP address only. I tried to force it by modifying config/nginx/sync-endpoint-https.conf to listen to the swarm node’s IP address (which is visible on the host) … but that doesn’t work because it cannot see that IP address.
So, I am puzzled: If nginx and phpLdapadmin don’t bind to the swarm node’s IP address then how can access them externally from node … So, I am clearly missing something.
On another note, by inspecting the running nginx container, I can see that it’s unable to resolve the name web-ui from within the container, and I don’t know how to resolve that. This is a big deal because nginx redirects / to /web-ui/ … so, if it cannot resolve it, then server is not accessible at all.
I believe docker swarm provides name resolution natively, so why is it not resolving ?
Would it make more sense for me to create new topic(s) for these issues ?
Forgot to add that the swarm node is deployed on the tinc IP address. So, I didn’t feel a need to indicate IP in the exposed ports.
It’s just like the ports are not binding at all to the node’s IP address … and I wonder whether this is due to the setting of internal: true in the overlay network definition for sync-network
I have now resolved my issues, and it was all down to my misunderstanding how docker swarm expects to manage a docker-machine.
Basically, all exposed ports tried to bind to all interfaces on the given host, and because I had other services using the same ports in the different IP addresses on the box, that was never going to work.
It was also not obvious why it was not working, not even from looking at logs of all services.
I tried everything to force the containers to bind to a particular IP address and that never worked. Changed to a different interface from the one bound to tinc (just in case tinc was part of the problem).
Finally, I created an lxd container in the host and isolated docker within it:
Enabled nested and privileged mode in the container
Enabled kernel drivers essential for docker/docker-machine to work well: overlayfs, vxlan, etc
Modified the odk docker-compose overlay networks and set ‘internal: false’ for all of them.
And everything finally worked as expected.
So, then I have setup an nginx proxy server on the host to reverse-proxy for the nginx served URLs in the container … also proxies to phpLDAPAdmin (used IP ACL to protect phpLDAPAdmin)
Have you tried making the Swarm node bind to the specific interface you want? You could do that by passing arguments to docker swarm init, see docker swarm init | Docker Documentation for detail.