yaLDAP: yet another LDAP
yaLDAP is an easy-to-use LDAP server using YAML file as directory definition.
Sometimes, we just need a simple LDAP compatible server to store user/group information and other information.
For this purpose, many simple LDAP server exists and manage user/group in a better way than yaLDAP. However, no one can
have a fully customisable LDAP directory that can be used to store information or to follow a specific directory structure.
I don't recommend to use this project for other thing than dev or homelab purpose; this LDAP server is not (yet)
compliant with the LDAP RFCs.
Usage
Configuration
YAML
yaLDAP can be configured using an YAML file to describe the LDAP directory.
See /pkg/ldap/yaml for more information.
Example
dc:org: #dn: dc=org
dc:example: #dn: dc=example,dc=org
ou:group: #dn: ou=group,dc=example,dc=org
cn:owner: &test #dn: cn=admin,ou=group,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1000
description: Organization owners
memberUid: [alice]
cn:dev: #dn: cn=dev,ou=group,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1001
description: Organization developers
memberUid: [bob, charlie]
cn:qa: #dn: cn=qa,ou=group,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1002
memberUid: [charlie, eve]
cn:ok: #dn: cn=ok,ou=group,dc=example,dc=org
<<: *test
gidNumber: 1003
description: Dummy group
# memberUid: [alice]
c:global: #dn: c=global,dc=example,dc=org
ou:people: #dn: ou=people,c=global,dc=example,dc=org
cn:alice: #dn: cn=alice,ou=people,c=global,dc=example,dc=org
objectClass: [posixAccount, UserMail]
.#acl:
- !!ldap/acl:allow-on dc=org # allow alice to request everything
description: Main organization admin
uid: alice
uidNumber: 1000
gidNumber: 1000
loginShell: /bin/bash
homeDirectory: /home/alice
userPassword: !!ldap/bind:password alice
usermail: alice@example.org
cn:bob: #dn: cn=bob,ou=people,c=global,dc=example,dc=org
objectClass: posixAccount
.#acl:
- !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow bob request only for user groups
uid: bob
homeDirectory: /home/bob
uidNumber: 1001
gidNumber: 1001
userPassword: !!ldap/bind:password bob
c:fr: #dn: c=fr,dc=example,dc=org
ou:people: #dn: ou=people,c=fr,dc=example,dc=org
cn:charlie: #dn: cn=charlie,ou=people,c=fr,dc=example,dc=org
objectClass: posixAccount
.#acl:
- !!ldap/acl:allow-on ou=group,dc=example,dc=org # allow charlie request for all groups...
- !!ldap/acl:deny-on cn=admin,ou=group,dc=example,dc=org # ...but to owner group
uid: charlie
homeDirectory: /home/charlie
uidNumber: 1100
gidNumber: 1001
userPassword: !!ldap/bind:password charlie
c:uk: #dn: c=uk,dc=example,dc=org
ou:people: #dn: ou=people,c=fr,dc=example,dc=org
cn:eve: #dn: cn=eve,ou=people,c=uk,dc=example,dc=org
objectClass: posixAccount
#NOTE: eve can't make any LDAP request (no !!ldap/bind:password field)
uid: eve
homeDirectory: /home/eve
uidNumber: 1003
gidNumber: 1002
userPassword: eve
Hashed passwords
In order to avoid storing clear text passwords in the YAML file, yaLDAP supports hashed passwords.
Currently, only argon2
, bcrypt
, pbkdf2
and scrypt
are supported.
How to hash a password
echo -n "<password>" | yaldap tools hash <alogrithm> [<options>] -
For example, to hash a password using bcrypt
and a cost of 10:
$ echo -n "password" | yaldap tools hash bcrypt --rounds 10 -
$bcrypt$v=0$r=10$$243261243130247935525748646434736f52794a2e474f3162714856755331496c616e54384b4d387346494a746c6b3141776e7a6c36736f377a6471
Contribution