I use
echo "127.0.0.2 ldap.example.com" >> /etc/hosts
to prevent the running ldap server from syncing during image building. However when using DOCKER_BUILDKIT=1 this is not possible any more (read only fs).
I was wondering if it is possible to start slapd so it does not start syncing?
On Mon, Feb 10, 2025 at 11:51:02AM +0000, Marc wrote:
I use
echo "127.0.0.2 ldap.example.com" >> /etc/hosts
to prevent the running ldap server from syncing during image building. However when using DOCKER_BUILDKIT=1 this is not possible any more (read only fs).
I was wondering if it is possible to start slapd so it does not start syncing?
I would not start it in the first place... Otherwise maybe don't give it network access?
Regards,
echo "127.0.0.2 ldap.example.com" >> /etc/hosts
to prevent the running ldap server from syncing during image building. However when using DOCKER_BUILDKIT=1 this is not possible any more (read only fs).
I was wondering if it is possible to start slapd so it does not start
syncing?
I would not start it in the first place... Otherwise maybe don't give it network access?
currenlty my method is retrieving ldif files from some config storage (that is on same network as ldap server), do sometimes some sed stuff, and then I import them like this:
ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-modules.ldif
So this way I have direct feedback if one of the ldifs is not compatible with some slapd upgrade.
On Tue, Feb 11, 2025 at 09:40:47AM +0000, Marc wrote:
I would not start it in the first place... Otherwise maybe don't give it network access?
currenlty my method is retrieving ldif files from some config storage (that is on same network as ldap server), do sometimes some sed stuff, and then I import them like this:
ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f $SLAPD_CFG_DIR/change-modules.ldif
So this way I have direct feedback if one of the ldifs is not compatible with some slapd upgrade.
slapadd -n0 is your friend, no need to start the server for it. Maybe also slaptest if you want to double check the resulting config.
Hi!
As others suggested, I'd set up a temporary firewall rule to block LDAP traffic (I guess you don't want to block just syncing, but all kind of external access).
Kind regards, Ulrich Windl
-----Original Message----- From: Marc Marc@f1-outsourcing.eu Sent: Monday, February 10, 2025 12:51 PM To: openldap-technical@openldap.org Subject: [EXT] container image building and syncing
I use
echo "127.0.0.2 ldap.example.com" >> /etc/hosts
to prevent the running ldap server from syncing during image building. However when using DOCKER_BUILDKIT=1 this is not possible any more (read only fs).
I was wondering if it is possible to start slapd so it does not start syncing?
openldap-technical@openldap.org
-
Marc -
Ondřej Kuzník -
Windl, Ulrich