Despite Docker Hub documentation suggesting env var support (LDAP_DOMAIN, LDAP_ADMIN_PASSWORD, etc.), the cleanstart/openldap:2.6.12 image does not process them. It is a bare Alpine OpenLDAP package that reads directly from /etc/openldap/slapd.conf.
The image ships with hardcoded defaults:
- suffix: dc=my-domain,dc=com
- rootdn: cn=Manager,dc=my-domain,dc=com
- rootpw: secret
Diagnosis: Container logs show the defaults being loaded:
slapd.conf: line 63 (suffix "dc=my-domain,dc=com")
slapd.conf: line 64 (rootdn "cn=Manager,dc=my-domain,dc=com")
Also confirmed via:
podman exec -it ldap ldapsearch -x -H ldap://localhost:389 -s base -b "" namingContexts
# Returns: namingContexts: dc=my-domain,dc=com
Mitigation: Mount a custom slapd.conf into the container:
volumes:
- ./slapd.conf:/etc/openldap/slapd.conf:z
The custom slapd.conf sets the correct suffix, rootdn, and rootpw for your domain.
When running with user: 1007:1007, slapd fails with:
slapd.conf: line 72: invalid path: Permission denied
The non-root user cannot create or write to /var/lib/openldap/openldap-data.
Mitigation: Either remove the user: directive (let the container run as root), or pre-create the host directory with correct permissions:
mkdir -p /var/lib/cicd/ldap/data
chmod 777 /var/lib/cicd/ldap/data
When running with user: 1007:1007, slapd cannot bind to port 389 (privileged port):
daemon: bind(6) failed errno=13 (Permission denied)
slapd stopped.
Mitigation: Remove the user: directive to run as root (binds to 389), or configure slapd to listen on port 1389 and update all references accordingly.
The cleanstart/openldap image uses different internal paths than the commonly documented osixia/openldap:
| Path | cleanstart/openldap | osixia/openldap |
|---|---|---|
| Config | /etc/openldap/slapd.conf |
/etc/ldap/slapd.d/ |
| Data | /var/lib/openldap/openldap-data |
/var/lib/ldap |
Mounting to the wrong paths means the entrypoint (if any) can't find or write config, and slapd can't find its database.
Mitigation: Use the correct paths in docker-compose:
volumes:
- ./slapd.conf:/etc/openldap/slapd.conf:z
- /var/lib/cicd/ldap/data:/var/lib/openldap/openldap-data:z
Using :Z (uppercase, private label) can prevent slapd from writing to mounted volumes. The entrypoint or slapd silently fails and falls back to defaults.
Mitigation: Use :z (lowercase, shared label) for LDAP volumes.
After a clean initialization, the LDAP database is empty. The suffix in slapd.conf defines what the server will accept, but does not create the actual directory entry. Attempting to create entries under the base DN fails with:
LDAP error: No such object
Mitigation: Bootstrap the base DN with an LDIF file:
podman cp bootstrap.ldif ldap:/tmp/bootstrap.ldif
podman exec -it ldap ldapadd -x -H ldap://localhost:389 \
-D "cn=admin,dc=pathoris,dc=de" -w admin \
-f /tmp/bootstrap.ldif
The bootstrap.ldif creates the base entry and initial organizational units.
The admin password (rootpw in slapd.conf) is baked into the database on first start. If the data volume was initialized with a different password (or empty), changing slapd.conf or env vars has no effect.
Mitigation: Wipe the data directory and restart:
podman-compose stop ldap
rm -rf /var/lib/cicd/ldap/data/*
podman-compose up -d ldap
| Image | Status | Notes |
|---|---|---|
| osixia/openldap | Abandoned | Last release 4+ years ago |
| bitnami/openldap | Restricted | Free images discontinued on Docker Hub |
| cleanstart/openldap | Active | Lightweight, current OpenLDAP 2.6.x, but no env var support |