5. Docker

Keeto ships a fully configured Docker image providing an easy and fast way for the establishment of an environment in order to become familiar with Keeto. This chapter gives an overview about this environment, describes how to set it up and ultimately use it.

5.1. Overview

The Docker environment consists of the two containers ‘keeto-openldap’ and ‘keeto-openssh’. ‘keeto-openldap’ provides a Directory Service based on OpenLDAP and ‘keeto-openssh’ runs an OpenSSH server configured with Keeto. The Directory Service contains various entries reflecting the access permissions, key material, users etc. for the OpenSSH server running within the ‘keeto-openssh’ container.

5.1.1. Services

The following ports are exposed by the Docker environment and bound to the local machine:

Container Protocol Port
keeto-openldap LDAP Plain/StartTLS
keeto-openldap LDAPS
keeto-openssh SSH

5.1.2. Syslog Settings

The local /dev/log socket is mounted to the container’s filesystem in order to obtain syslog messages from container components. The following syslog identifiers/facilities are used:

Component Syslog Identifier Syslog Facility
Keeto keeto LOG_LOCAL1

5.1.3. OpenLDAP Settings

Option Value
LDAP URI ldap://
Base DN dc=keeto,dc=io
Bind DN cn=directory-manager,dc=keeto,dc=io
Bind password test123

5.1.4. OpenSSH Access Permissions

Key/User Direct Access Access On Behalf
birgit Yes -
bjoern No keeto
oliver No slapd, opendj
sebastian No keeto
trixi No slapd, opendj
wolfgang Yes -

5.2. Prerequisites

The following software packages are needed in order to run the Keeto Docker environment:

  • Docker
  • Docker Compose
  • LDAP client
  • SSH client
  • Syslog (optional)

Although any LDAP client will do Apache Directory Studio is recommended as Keeto provides an export of the connection settings needed to configure the client for the usage with the Docker environment. The SSH client has to support either PKCS#8 or PuTTY’s .ppk private key format for public key authentication.

5.3. Setup

Grab the source code tarball from https://keeto.io and unpack the distribution. All files needed to setup the Docker environment are included in the ‘samples/docker’ directory:

<user>$ wget https://keeto.io/static/downloads/keeto-0.3.0-beta/keeto-0.3.0-beta.tar.gz
<user>$ tar xvfz keeto-0.3.0-beta.tar.gz
<user>$ cd keeto-0.3.0-beta/samples/docker

Now start the containers using Docker Compose with the following command:

<root>$ docker-compose up -d

Docker will download the images if they are not already available locally and subsequently start the environment. Finally you should see the following output:

Creating network "docker_keeto-net" with driver "bridge"
Creating keeto-openldap
Creating keeto-openssh

Thats it! The Keeto Docker environment is now fully operational. Optionally configure your local syslog daemon to log messages from container components. A sample configuration file for syslog-ng can be found in the ‘samples’ directory.

5.4. Usage

Now that the environment is up and running you are able to play around and gain a better understanding of Keeto. Configure your favourite LDAP client with the settings described in OpenLDAP Settings and browse/modify the content in the OpenLDAP Directory Service. If you are using Apache Directory Studio you might wanna import the connection settings from the ‘samples/docker/misc’ folder. The environment comes with some predefined access permissions as described in OpenSSH Access Permissions. The private key material for the various logins is available in the ‘samples/docker/keys’ folder. Note that some SSH clients require the private key to have certain access permissions. If you are using such a client change permissions of the private key file accordingly.

The following two examples show logins with the OpenSSH SSH client for a user that has direct access and another one that has access on behalf of another account:

<user>$ chmod 600 keys/birgit-key.pem
<user>$ ssh -i keys/birgit-key.pem -p 1022 birgit@localhost
<user>$ chmod 600 keys/oliver-key.pem
<user>$ ssh -i keys/oliver-key.pem -p 1022 slapd@localhost