docker/swarm/stack/ldap.yml

classes:
- system.docker.client.images.ldap
parameters:
  docker:
    client:
      stack:
        ldap:
          version: '3.7'
          service:
            server:
              networks:
                - ldap
              deploy:
                restart_policy:
                  condition: any
              image: ${_param:docker_image_openldap}
              hostname: ldap01
              domainname: ${_param:openldap_domain}
              ports:
                - 1389:389
                - 1636:636
              secrets:
                - openldap-admin
                - openldap-config
              volumes:
                - /srv/volumes/openldap/database:/var/lib/ldap
                - /srv/volumes/openldap/config:/etc/ldap/slapd.d
                - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
                - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
              # copy to /container/run/service to avoid issues with owning certs as openldap user
              # https://github.com/osixia/docker-openldap/issues/59
              command: --copy-service
              environment:
                HOSTNAME: ldap01.${_param:openldap_domain}
                LDAP_ORGANISATION: "${_param:openldap_organisation}"
                LDAP_DOMAIN: "${_param:openldap_domain}"
                LDAP_ADMIN_PASSWORD_FILE: /run/secrets/openldap-admin
                LDAP_CONFIG_PASSWORD_FILE: /run/secrets/openldap-config
                LDAP_TLS: "true"
                LDAP_TLS_VERIFY_CLIENT: try
                LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
                LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
                LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
                LDAP_TLS_CA_CRT_FILENAME: ca.crt
            admin:
              networks:
                - ldap
              deploy:
                restart_policy:
                  condition: any
              image: ${_param:docker_image_phpldapadmin}
              depends_on:
                - server
              hostname: ldap
              command: --copy-service
              volumes:
                - ${_param:openldap_tls:keyfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.key:ro
                - ${_param:openldap_tls:certfile}:/container/service/ldap-client/assets/certs/drivetrain_ldap.crt:ro
                - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/ldap-client/assets/certs/ca.crt:ro
              environment:
                PHPLDAPADMIN_LDAP_HOSTS: "#PYTHON2BASH:[{'server': [{'server': [{'host': 'ldaps://${_param:cicd_control_address}', 'tls': False}]},{'login': [{'bind_id': 'cn=admin,${_param:openldap_dn}'},{'bind_pass': '$PHPLDAPADMIN_LDAP_ADMIN_PASSWORD'}]}]}]"
                PHPLDAPADMIN_LDAP_CLIENT_TLS: "true"
                PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME: ca.crt
                PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME: drivetrain_ldap.crt
                PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME: drivetrain_ldap.key
                PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT: 'try'
                PHPLDAPADMIN_HTTPS: "false"
                PHPLDAPADMIN_TRUST_PROXY_SSL: "true"
                PHPLDAPADMIN_SERVER_ADMIN: ${_param:admin_email}
                PHPLDAPADMIN_THEME: mirantis
              ports:
                - 18089:80
          network:
            ldap:
              driver: overlay
              driver_opts:
                encrypted: 1
          secrets:
            openldap-admin:
              external: true
              value: ${_param:openldap_admin_password}
            openldap-config:
              external: true
              value: ${_param:openldap_config_password}