An OpenLDAP server with declarative directory state. LDAP Data Interchange Format (LDIF) files are the single source of truth. On startup, the container reconciles the directory to the state described by the LDIF inputs. Runtime changes are not persisted; restarting the container always produces the same directory state for the same LDIF.
Main features of the OCI image:
- Declarative, idempotent directory state defined entirely by LDIF files (reset-on-restart semantics).
- Support for unprivileged execution (rootless).
- Fully featured OpenLDAP, plus essential debugging utilities and no unnecessary extras.
This image is intended for small, isolated LDAP directories where reproducibility, auditability, and deterministic behavior are required. Typical use cases include defense-in-depth architectures where applications operate with a minimal, self-contained user directory.
latest: Latest release of this image.
To build the image locally, do the following:
- Install Podman.
- Clone or pull the latest changes from the
foundata/oci-openldap-declarativegit repository. - Change into the directory and execute the build command:
podman build -t openldap-declarative .
-
Use the image you built earlier or pull the image from a registry:
- Quay:
podman pull quay.io/foundata/openldap-declarative:latest
- Docker Hub:
podman pull docker.io/foundata/openldap-declarative:latest
- Quay:
-
Run a container from the image:
podman run --detach \ --name ldap-foobar \ --env LDAP_DOMAIN="foobar.svc.local" \ --env LDAP_ADMIN_PASSWORD="SecurePass123" \ --publish 127.0.0.1:1389:1389 \ --volume ./examples/basic/config:/ldap/config:ro,Z \ --volume ./examples/basic/data:/ldap/data:ro,Z \ openldap-declarative:latest
With TLS:
podman run --detach \ --name ldap-foobar \ --env LDAP_DOMAIN="foobar.svc.local" \ --env LDAP_ADMIN_PASSWORD="SecurePass123" \ --env LDAP_TLS_ENABLED="true" \ --publish 127.0.0.1:1389:1389 \ --publish 127.0.0.1:1636:1636 \ --volume ./examples/basic/config:/ldap/config:ro,Z \ --volume ./examples/basic/data:/ldap/data:ro,Z \ --volume ./examples/basic/tls:/ldap/tls:ro,Z \ openldap-declarative:latest
-
You can now work with the container:
podman ps # List all objects (org, groups, users, ...) ldapsearch -x -H ldap://127.0.0.1:1389 \ -D "cn=admin,dc=foobar,dc=svc,dc=local" \ -w "SecurePass123" \ -b "dc=foobar,dc=svc,dc=local" "(objectClass=*)" # List all users in "ou=people" ldapsearch -x -H ldap://127.0.0.1:1389 \ -D "cn=admin,dc=foobar,dc=svc,dc=local" \ -w "SecurePass123" \ -b "ou=people,dc=foobar,dc=svc,dc=local" "(objectClass=inetOrgPerson)"
This image is built and tested with Podman only. We currently do not support Docker (but it might work).
This image is intentionally scoped for declarative, file-defined LDAP directories. It is not intended to be a general-purpose LDAP service.
Specifically, it does not provide:
- Persistent directory state across container restarts.
- Support for interactive or imperative LDAP administration.
- Dynamic runtime modification of users, groups, or schemas.
- Replication, clustering, or high-availability setups.
- Large-scale or multi-tenant directory deployments.
Any change to the directory must be expressed by modifying the LDIF inputs and restarting the container. For mutable, stateful, or large-scale LDAP deployments, use a traditional or managed LDAP service instead.
Copyright (c) 2025 foundata GmbH (https://foundata.com)
This project is licensed under the GNU General Public License v3.0 or later (SPDX-License-Identifier: GPL-3.0-or-later), see LICENSES/GPL-3.0-or-later.txt for the full text.
The REUSE.toml file provides detailed licensing and copyright information in a human- and machine-readable format. This includes parts that may be subject to different licensing or usage terms, such as third-party components. The repository conforms to the REUSE specification. You can use reuse spdx to create a SPDX software bill of materials (SBOM).
The pre-built image itself bundles various software components along with direct and indirect dependencies, which are subject to their respective licenses. When using the pre-built image, you are responsible for ensuring that your usage complies with all relevant licenses for the software contained within the image.
For further licensing information about the software contained in this image, please refer to the following resources:
This project was created and is maintained by foundata GmbH (https://foundata.com).