Day 07: Jenkins LDAP Simulation Environment
Jenkins LDAP Simulation Environment
This guide provides a step-by-step automation process to simulate a corporate LDAP environment using Docker. It is designed to test Jenkins authentication, group mapping, and Role-Based Access Control (RBAC).
🛠️ The Automation Script
Save the following code as setup_ldap.sh, grant execution permissions (chmod +x setup_ldap.sh), and run it.
#!/bin/bash
# 1. Define Local Paths for Persistence
DATA_DIR="$(pwd)/ldap_data"
CONF_DIR="$(pwd)/ldap_config"
# 2. Cleanup old environment
echo "Stopping old containers and wiping local mount folders..."
docker rm -f ldap-server 2>/dev/null
sudo rm -rf "$DATA_DIR" "$CONF_DIR"
# Create fresh directories
mkdir -p "$DATA_DIR" "$CONF_DIR"
# 3. Start the Server with Volume Mounts
echo "Starting LDAP server with volume persistence..."
docker run -d -p 389:389 --name ldap-server \
-e LDAP_INIT_ORG_DN='dc=mycompany,dc=com' \
-e LDAP_INIT_ROOT_USER_DN='uid=admin,dc=mycompany,dc=com' \
-e LDAP_INIT_ROOT_USER_PW='newpassword123' \
-e LDAP_INIT_ORG_NAME='MyCompany Corp' \
-e LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
-v "$DATA_DIR":/var/lib/ldap \
-v "$CONF_DIR":/etc/ldap/slapd.d \
vegardit/openldap:latest
# Wait for database to initialize
echo "Waiting 15 seconds for filesystem initialization..."
sleep 15
# 4. Inject Dummy Data (4 Users, 2 Groups)
echo "Injecting dummy data..."
docker exec -i ldap-server bash -c 'cat <<EOF > /tmp/data.ldif
dn: ou=Users,dc=mycompany,dc=com
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=mycompany,dc=com
objectClass: organizationalUnit
ou: Groups
dn: uid=alice.smith,ou=Users,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: alice.smith
cn: Alice Smith
sn: Smith
userPassword: Password123456
dn: uid=bob.jones,ou=Users,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: bob.jones
cn: Bob Jones
sn: Jones
userPassword: Password123456
dn: uid=charlie.brown,ou=Users,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: charlie.brown
cn: Charlie Brown
sn: Brown
userPassword: Password123456
dn: uid=dana.white,ou=Users,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: dana.white
cn: Dana White
sn: White
userPassword: Password123456
dn: cn=jenkins-admins,ou=Groups,dc=mycompany,dc=com
objectClass: groupOfNames
cn: jenkins-admins
member: uid=alice.smith,ou=Users,dc=mycompany,dc=com
member: uid=bob.jones,ou=Users,dc=mycompany,dc=com
dn: cn=jenkins-developers,ou=Groups,dc=mycompany,dc=com
objectClass: groupOfNames
cn: jenkins-developers
member: uid=charlie.brown,ou=Users,dc=mycompany,dc=com
member: uid=dana.white,ou=Users,dc=mycompany,dc=com
EOF
ldapadd -x -D "uid=admin,dc=mycompany,dc=com" -w newpassword123 -f /tmp/data.ldif'
echo "------------------------------------------------"
echo "Setup Complete! Data is saved in $DATA_DIR"
echo "Manager DN: uid=admin,dc=mycompany,dc=com"
echo "------------------------------------------------"
🧠 Key Concepts & Lessons Learned
1. Volume Persistence
By using -v, the LDAP database (/var/lib/ldap) and configuration (/etc/ldap/slapd.d) are stored on your host machine. This means you can stop/start the container without losing your users or group mappings.
2. The “Status 80” Error Fix
We learned that OpenLDAP requires the Root DN (the admin) to be a child of the Suffix (the domain). If the domain is dc=mycompany,dc=com, the admin must end with that same string, or the server will crash on boot.
3. Password Policy (PPolicy)
The server is configured with a 12-character minimum password length. Any ldapadd or ldapmodify attempt using a shorter password will be rejected by the server, mimicking real-world security requirements.
4. Group Mapping in Jenkins
Jenkins uses the groupOfNames object class to identify teams.
- Admins: Alice Smith, Bob Jones
- Developers: Charlie Brown, Dana White
⚙️ Jenkins Configuration Table
| Jenkins Field | Value |
|---|---|
| Server | ldap://localhost:389 |
| Root DN | dc=mycompany,dc=com |
| User Search Base | ou=Users |
| User Search Filter | uid={0} |
| Group Search Base | ou=Groups |
| Manager DN | uid=admin,dc=mycompany,dc=com |
| Manager Password | newpassword123 |