diff --git a/bitnami/openldap/2.6/debian-12/Dockerfile b/bitnami/openldap/2.6/debian-12/Dockerfile
index a9488725c92d..433c3b74bfde 100644
--- a/bitnami/openldap/2.6/debian-12/Dockerfile
+++ b/bitnami/openldap/2.6/debian-12/Dockerfile
@@ -7,7 +7,7 @@ ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith"
ARG TARGETARCH
LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
- org.opencontainers.image.created="2026-02-19T03:28:31Z" \
+ org.opencontainers.image.created="2026-02-27T12:31:59Z" \
org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/openldap/README.md" \
org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/openldap" \
@@ -49,7 +49,7 @@ COPY rootfs /
RUN /opt/bitnami/scripts/openldap/postunpack.sh
ENV APP_VERSION="2.6.12" \
BITNAMI_APP_NAME="openldap" \
- IMAGE_REVISION="1" \
+ IMAGE_REVISION="2" \
PATH="/opt/bitnami/openldap/bin:/opt/bitnami/openldap/sbin:$PATH"
EXPOSE 1389 1636
diff --git a/bitnami/openldap/README.md b/bitnami/openldap/README.md
index 27cdaee47791..3798582cf931 100644
--- a/bitnami/openldap/README.md
+++ b/bitnami/openldap/README.md
@@ -1,19 +1,17 @@
# Bitnami Secure Image for OpenLDAP
-## What is OpenLDAP?
-
> OpenLDAP is the open-source solution for LDAP (Lightweight Directory Access Protocol). It is a protocol used to store and retrieve data from a hierarchical directory structure such as in databases.
[Overview of OpenLDAP](https://openldap.org/)
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
-## TL;DR
+## TL;DR
```console
docker run --name openldap bitnami/openldap:latest
```
-## Why use Bitnami Secure Images?
+## Why use Bitnami Secure Images?
Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images?
@@ -30,15 +28,15 @@ Each image comes with valuable security metadata. You can view the metadata in [
If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy).
-## Why use a non-root container?
+## Why use a non-root container?
Non-root container images add an extra layer of security and are generally recommended for production environments. However, because they run as a non-root user, privileged tasks are typically off-limits. Learn more about non-root containers [in our docs](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-work-with-non-root-containers-index.html).
-## Supported tags and respective `Dockerfile` links
+## Supported tags and respective `Dockerfile` links
Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html).
-## Get this image
+## Get this image
The recommended way to get the Bitnami OpenLDAP Docker Image is to pull the prebuilt image from the [Docker Hub Registry](https://hub.docker.com/r/bitnami/openldap).
@@ -60,113 +58,17 @@ cd bitnami/APP/VERSION/OPERATING-SYSTEM
docker build -t bitnami/APP:latest .
```
-## Connecting to other containers
+## Using `docker-compose.yaml`
+
+Please be aware this file has not undergone internal testing. Consequently, we advise its use exclusively for development or testing purposes.
+
+## Connecting to other containers
Using [Docker container networking](https://docs.docker.com/engine/userguide/networking/), a different server running inside a container can easily be accessed by your application containers and vice-versa.
Containers attached to the same network can communicate with each other using the container name as the hostname.
-### Using the Command Line
-
-In this example, we will use a MariaDB Galera instance that will use a OpenLDAP instance that is running on the same docker network to manage authentication.
-
-#### Step 1: Create a network
-
-```console
-docker network create my-network --driver bridge
-```
-
-#### Step 2: Launch the OpenLDAP server instance
-
-Use the `--network ` argument to the `docker run` command to attach the container to the `my-network` network.
-
-```console
-docker run --detach --rm --name openldap \
- --network my-network \
- --env LDAP_ADMIN_USERNAME=admin \
- --env LDAP_ADMIN_PASSWORD=adminpassword \
- --env LDAP_USERS=customuser \
- --env LDAP_PASSWORDS=custompassword \
- --env LDAP_ROOT=dc=example,dc=org \
- --env LDAP_ADMIN_DN=cn=admin,dc=example,dc=org \
- bitnami/openldap:latest
-```
-
-#### Step 3: Launch the MariaDB Galera server instance
-
-Use the `--network ` argument to the `docker run` command to attach the container to the `my-network` network.
-
-```console
-docker run --detach --rm --name mariadb-galera \
- --network my-network \
- --env MARIADB_ROOT_PASSWORD=root-password \
- --env MARIADB_GALERA_MARIABACKUP_PASSWORD=backup-password \
- --env MARIADB_USER=customuser \
- --env MARIADB_DATABASE=customdatabase \
- --env MARIADB_ENABLE_LDAP=yes \
- --env LDAP_URI=ldap://openldap:1389 \
- --env LDAP_BASE=dc=example,dc=org \
- --env LDAP_BIND_DN=cn=admin,dc=example,dc=org \
- --env LDAP_BIND_PASSWORD=adminpassword \
- bitnami/mariadb-galera:latest
-```
-
-#### Step 4: Launch the MariaDB client and test you can authenticate using LDAP credentials
-
-Finally we create a new container instance to launch the MariaDB client and connect to the server created in the previous step:
-
-```console
-docker run -it --rm --name mariadb-client \
- --network my-network \
- bitnami/mariadb-galera:latest mysql -h mariadb-galera -u customuser -D customdatabase -pcustompassword
-```
-
-### Using a Docker Compose file
-
-When not specified, Docker Compose automatically sets up a new network and attaches all deployed services to that network. However, we will explicitly define a new `bridge` network named `my-network`. In this example we assume that you want to connect to the OpenLDAP server from your own custom application image which is identified in the following snippet by the service name `myapp`.
-
-```yaml
-version: '2'
-
-networks:
- my-network:
- driver: bridge
-services:
- openldap:
- image: bitnami/openldap:latest
- ports:
- - 1389:1389
- - 1636:1636
- environment:
- - LDAP_ADMIN_USERNAME=admin
- - LDAP_ADMIN_PASSWORD=adminpassword
- - LDAP_USERS=user01,user02
- - LDAP_PASSWORDS=password1,password2
- networks:
- - my-network
- volumes:
- - openldap_data:/bitnami/openldap
- myapp:
- image: YOUR_APPLICATION_IMAGE
- networks:
- - my-network
-volumes:
- openldap_data:
- driver: local
-```
-
-> **IMPORTANT**:
->
-> 1. Please update the **YOUR_APPLICATION_IMAGE_** placeholder in the above snippet with your application image
-> 2. In your application container, use the hostname `openldap` to connect to the OpenLDAP server
-
-Launch the containers using:
-
-```console
-docker-compose up -d
-```
-
-## Configuration
+## Configuration
The Bitnami Docker OpenLDAP can be easily setup with the following environment variables:
@@ -199,7 +101,7 @@ The Bitnami Docker OpenLDAP can be easily setup with the following environment v
- `LDAP_PPOLICY_USE_LOCKOUT`: Whether bind attempts to locked accounts will always return an error. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
- `LDAP_PPOLICY_HASH_CLEARTEXT`: Whether plaintext passwords should be hashed automatically. Will only be applied with `LDAP_CONFIGURE_PPOLICY` active. Default: **no**.
-### Bootstrapping
+### Bootstrapping
User side bootstrapping happens in two primary phases:
@@ -220,90 +122,6 @@ Some key concepts:
- slapadd ldifs are different then ldapadd specifically the `changetype: modify` directives required by ldapadd.
- scripts are executed in alpha-numeric order so to control order use 01-myscript.sh 02-otherscript.sh is recommended.
-##### Example: Enable the MemberOf Overlay in Bitnami OpenLDAP
-
-Note: bitnami has some custom module pathing. Specifically the slapd module load path is set to `/opt/bitnami/openldap/libexec/openldap/` but some of the base openldap modules are installed at `/opt/bitnami/openldap/lib/openldap/`. If you need to load the memberof.so overlay you will need to symlink, or cp it. exapmle `cp /opt/bitnami/openldap/lib/openldap/memberof.so /opt/bitnami/openldap/lib/openldap/memberof.so`. This could be done in a Dockerfile, a mount overlay or if running as root in a script in /docker-entrypoint-initdb.d/. The Dockerfile is likely the best and safest solution to ensure your module is **always** avialable at run time.
-
-Here is an example of loading the memberof overlay with an /entrypoint-initdb.d/ script
-
-The **memberOf** overlay is widely used in OpenLDAP to automatically populate the `memberOf` attribute on user entries based on group membership.
-This short example demonstrates how to add the overlay during Bitnami OpenLDAP container bootstrap using `slapadd`, with correct LDIF formatting and troubleshooting tips.
-
-1. **Determine the next available module DN:**
- - Run:
-
- ```sh
- slapcat -F /opt/bitnami/openldap/etc/slapd.d -b cn=config | grep "^dn: cn=module"
- ```
-
- - If you see `cn=module{0},cn=config`, use `cn=module{1},cn=config` for your new module. {2} if you see existing {1} etc.
-
-2. **Create the LDIF file:**
-
-In the default container image has 1 existing loaded module at cn=module{0} so we will use cn=module{1}. Be sure to also bump the index on `cn: module{1}` to match cn=module{1}
-
-```ldif
-dn: cn=module{1},cn=config
-objectClass: olcModuleList
-cn: module{1}
-olcModulePath: /opt/bitnami/openldap/libexec/openldap
-olcModuleLoad: memberof.so
-dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: memberof
-olcMemberOfDangling: ignore
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: groupOfNames
-olcMemberOfMemberAD: member
-olcMemberOfMemberOfAD: memberOf
-```
-
-Finally a script should be placed or mounted to /docker-entrypoint-initdb.d/. Note: we are using slapadd, not ldapadd here as mentioned above.
-
-```bash
-#!/bin/bash
-# Script to enable memberOf overlay in OpenLDAP
-set -e
-# Note: cn=module{1},cn=config assumes that the module will be loaded as the second module. cn=module{0} being the first.
-# Additionally, olcDatabase={2}mdb assumes that the database is the second one configured in OpenLDAP. Adjust as necessary.
-# Create a temporary LDIF file
-# ensure cn=module{N},cn=config and cn: module{N} match eachother and do not conflict with existing modules. Run `slapcat -F /opt/bitnami/openldap/etc/slapd.d -b cn=config | grep 'cn=module'` to check existing modules.
-cat > /tmp/memberof-overlay.ldif << 'EOF'
-dn: cn=module{1},cn=config
-objectClass: olcModuleList
-cn: module{1}
-olcModuleLoad: memberof
-
-dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: memberof
-olcMemberOfDangling: ignore
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: groupOfNames
-olcMemberOfMemberAD: member
-olcMemberOfMemberOfAD: memberOf
-EOF
-
-# Apply the LDIF to enable memberOf overlay
-echo "Enabling memberOf overlay in OpenLDAP configuration..."
-echo "Loading memberOf overlay with slapadd..."
-
-if slapcat -F /opt/bitnami/openldap/etc/slapd.d -b cn=config | grep -q memberof
-then
- echo "MemberOf overlay is already configured."
- exit 0
-else
- slapadd -F /opt/bitnami/openldap/etc/slapd.d -b cn=config -l /tmp/memberof-overlay.ldif || {
- echo "NOTICE: slapadd failed to load memberOf overlay. Check the cn=module{N} with \"slapcat -F /opt/bitnami/openldap/etc/slapd.d -b cn=config |grep 'cn=module'\""
- exit 1
- }
-fi
-
-echo "MemberOf overlay has been configured."
-```
-
#### 2. Bootstrap your ldap DB in /ldifs
You can bootstrap the contents of **your** database by putting LDIF files in the directory `/ldifs` (or the one you define in `LDAP_CUSTOM_LDIF_DIR`). Those may only contain content underneath your base DN (set by `LDAP_ROOT`). You can **not** set configuration for e.g. `cn=config` in those files.
@@ -314,46 +132,11 @@ Some key concepts:
- ldifs are loaded in alpha-numeric order so you can load things in 01-mygroups.ldif, 02-myusers.ldif etc.
- this only runs on first init of the container.
-##### Example: Loading base groups and org schemas in /ldifs/01-example-org.ldif (or equiv)
-
-Place or mount your ldif files in /ldifs... That's basically it! Verify with ldapsearch or in your healthchecks etc. once the container has loaded.
-
-```ldif
-# Base domain entries - converting AD-style DN to OpenLDAP format
-dn: dc=your,dc=example,dc=com
-objectClass: top
-objectClass: dcObject
-objectClass: organization
-dc: your
-o: Your Organization
-# Organizational Units
-dn: ou=Users,dc=your,dc=example,dc=com
-objectClass: top
-objectClass: organizationalUnit
-ou: Users
-dn: ou=Groups,dc=your,dc=example,dc=com
-objectClass: top
-objectClass: organizationalUnit
-ou: Groups
-# Admin group
-dn: cn=some_admins,ou=Groups,dc=your,dc=example,dc=com
-objectClass: top
-objectClass: groupOfNames
-cn: some_admins
-description: An administrators group
-# Tester group
-dn: cn=testers,ou=Groups,dc=your,dc=example,dc=com
-objectClass: top
-objectClass: groupOfNames
-cn: testers
-description: Example group of testers
-```
-
-### Data Persistence
+### Data Persistence
To ensure that the OpenLDAP state is retained across container restarts and updates, it is recommended to mount a volume at `/bitnami/openldap`.
-### Overlays
+### Overlays
Overlays are dynamic modules that can be added to an OpenLDAP server to extend or modify its functionality. See section on Bootstrapping for an example on adding the memberOf or other overlays not directly provided as an overlay flag.
@@ -393,30 +176,9 @@ For configuration flexibility, the container-based approach relies on a file tre
IMPORTANT: The `dynlist` requires the schema `dyngroup`. This can be done by adding it to the list of schemas to load through `LDAP_EXTRA_SCHEMAS`.
-The following example shows how to declare the module `dynlist` with the support of dynamic (groupOfUrls) and static (groupOfNames) groups. The `olcDatabase={N}mdb` has to be adjusted to the target configuration.
-
-```bash
-ldapadd -D "cn=admin,cn=config" -w "configpassword" < Securing OpenLDAP traffic
OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. Should you desire to enable this optional feature, you may use the following environment variables to configure the application:
@@ -430,40 +192,7 @@ OpenLDAP clients and servers are capable of using the Transport Layer Security (
This new feature is not mutually exclusive, which means it is possible to listen to both TLS and non-TLS connection simultaneously. To use TLS you can use the URI `ldaps://openldap:1636` or use the non-TLS URI forcing ldap to use TLS `ldap://openldap:1389 -ZZ`.
-1. Using `docker run`
-
- ```console
- $ docker run --name openldap \
- -v /path/to/certs:/opt/bitnami/openldap/certs \
- -v /path/to/openldap-data-persistence:/bitnami/openldap/ \
- -e ALLOW_EMPTY_PASSWORD=yes \
- -e LDAP_ENABLE_TLS=yes \
- -e LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt \
- -e LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key \
- -e LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt \
- bitnami/openldap:latest
- ```
-
-2. Modifying the `docker-compose.yml` file present in this repository:
-
- ```yaml
- services:
- openldap:
- ...
- environment:
- ...
- - LDAP_ENABLE_TLS=yes
- - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/openldap.crt
- - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/openldap.key
- - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/openldapCA.crt
- ...
- volumes:
- - /path/to/certs:/opt/bitnami/openldap/certs
- - /path/to/openldap-data-persistence:/bitnami/openldap/
- ...
- ```
-
-### Run behind load balancer
+### Run behind load balancer
OpenLDAP supports the HAProxy proxy protocol version 2 to detect real client IP that is masked when server runs behind load balancer. You can enable and configure this feature with the following environment variables:
@@ -477,7 +206,7 @@ Enabling this feature will replace regular and TLS ports with proxy protocol cap
Check the official page [OpenLDAP, Running slapd, Command-Line Options](https://www.openldap.org/doc/admin26/runningslapd.html#Command-Line%20Options) for additional information.
-### Initializing a new instance
+### Initializing a new instance
The [Bitnami OpenLDAP](https://github.com/bitnami/containers/blob/main/bitnami/openldap) image allows you to use your custom scripts to initialize a fresh instance.
@@ -485,13 +214,13 @@ The allowed script extension is `.sh`, all scripts are executed in alphabetical
Scripts are executed are after the initilization and before the startup of the OpenLDAP service.
-### FIPS configuration in Bitnami Secure Images
+### FIPS configuration in Bitnami Secure Images
The Bitnami OpenLDAP Docker image from the [Bitnami Secure Images](https://go-vmware.broadcom.com/contact-us) catalog includes extra features and settings to configure the container with FIPS capabilities. You can configure the next environment variables:
- `OPENSSL_FIPS`: whether OpenSSL runs in FIPS mode or not. `yes` (default), `no`.
-## Logging
+## Logging
The Bitnami OpenLDAP Docker image sends the container logs to `stdout`. To view the logs:
@@ -503,53 +232,13 @@ You can configure the containers [logging driver](https://docs.docker.com/engine
To see the actual output of slapd in the container's logs, set the environment variable `BITNAMI_DEBUG=true`. Useful especially to find/debug problems in your configuration that lead to errors so OpenLDAP won't start.
-## Maintenance
-
-### Upgrade this image
-
-Bitnami provides up-to-date versions of OpenLDAP, including security patches, soon after they are made upstream. We recommend that you follow these steps to upgrade your container.
-
-#### Step 1: Get the updated image
-
-```console
-docker pull bitnami/openldap:latest
-```
-
-#### Step 2: Stop the running container
-
-Stop the currently running container using the command
-
-```console
-docker stop openldap
-```
-
-#### Step 3: Remove the currently running container
-
-```console
-docker rm -v openldap
-```
-
-#### Step 4: Run the new image
-
-Re-create your container from the new image.
-
-```console
-docker run --name openldap bitnami/openldap:latest
-```
-
-## Notable Changes
+## Notable Changes
### 2.4.58-debian-10-r93
- The default database backend has been changed from `hdb` to `mdb` as recommended. No additional steps should be necessary at upgrade time; the new container version `2.4.59` will initialize using the persisted data.
-## Using `docker-compose.yaml`
-
-Please be aware this file has not undergone internal testing. Consequently, we advise its use exclusively for development or testing purposes.
-
-If you detect any issue in the `docker-compose.yaml` file, feel free to report it or contribute with a fix by following our [Contributing Guidelines](https://github.com/bitnami/containers/blob/main/CONTRIBUTING.md).
-
-## License
+## License
Copyright © 2026 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.