LemonLDAP-NG in Podman

Shane_Treweek · November 12, 2024, 11:23pm

Ive managed to get LemonLDAP-NG mostly working here are the steps.

Install scratchpad instance
In ns8 http routes add auth.domain.tld as http://127.0.0.1:82 and manager.domain.tld http://127.0.0.1:82
runagent -m scratchpad1 bash -l
podman run --replace --name lemonldap -d -e SSODOMAIN=domain.tld -e PORTAL_HOSTNAME=auth.domain.tld -e MANAGER_HOSTNAME=manager.domain.tld -e HANDLER_HOSTNAME=handler.domain.tld -e FASTCGI_LISTEN_PORT=9000 -p 82:80 docker.io/coudot/lemonldap-ng
run podman ps to get

I’ve figured out how to add files to the running container its a bit convuluted but it allows to upload logos and app logos.

You first have to copy the files you want to the scratchpad home folder (i.e., /home/scratchpad1 then you have to runagent -m scratchpad1 bash -l for example ill use mylam.webp (for the LAM web app) you then copy them directly into the container folder like so podman cp ~/mylam.webp <your containerid>:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps/ and restart podman restart <your containerid> and it works

The directorys that are most used are:
:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps/ for apps
:/usr/share/lemonldap-ng/portal/htdocs/static/common/logos/ for logos
:/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds/ for backgrounds

NOTE* I havent got background working yet but I manual added the active directory details and saml and everything else seems to work

UPDATE* I had a power failure and when ns8 booted back up the container wasnt working so im guessing this is not persistant. I’m in the process of mapping the volumes (i.e., apps,logos and backgrounds) once I’ve worked out the specifics I’ll post an update. For now I know the volume is something like -v .apps/.:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps:Z

Shane_Treweek · November 16, 2024, 7:03am

UPDATE This now works with apps, backgrounds, logos, conf, logs and the lemonldap.ini file

Install a scratchpad instance.
In ns8 http routes add auth.domain.tld as http://127.0.0.1:82 and manager.domain.tld http://127.0.0.1:82
Login from terminal.

[root@yourserver]$ runagent -m scratchpad1 bash -l

Create the folders were going to mount

[scratchpad1@yourserver state]$ mkdir -p ./apps
[scratchpad1@yourserver state]$ mkdir -p ./conf
[scratchpad1@yourserver state]$ mkdir -p ./logos
[scratchpad1@yourserver state]$ mkdir -p ./backgrounds
[scratchpad1@yourserver state]$ mkdir -p ./logs
[scratchpad1@yourserver state]$ mkdir -p ./etc
[scratchpad1@yourserver state]$ mkdir -p ./cache

Now create the mounts themselves

podman volume create \
      -o device=./apps \
      -o=o=bind \
      apps

podman volume create \
      -o device=./conf \
      -o=o=bind \
      conf

podman volume create \
      -o device=./etc \
      -o=o=bind \
      etc

podman volume create \
      -o device=./logos \
      -o=o=bind \
      logos

podman volume create \
      -o device=./backgrounds \
      -o=o=bind \
      backgrounds

podman volume create \
      -o device=./cache \
      -o=o=bind \
     cache

podman volume create \
      -o device=./logs \
      -o=o=bind \
      logs

Run the following commands (make sure to change to suit your requirements)

podman run --detach --replace --name lemonldap --restart=unless-stopped \
    --volume=apps:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps:z \
    --volume=backgrounds:/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds:z \
    --volume=logos:/usr/share/lemonldap-ng/portal/htdocs/static/common/logos:z \
    --volume=conf:/var/lib/lemonldap-ng/conf:z \
    --volume=logs:/www/logs:z \
    --volume=etc:/etc/lemonldap-ng:z \
    --volume=cache:/var/cache/lemonldap-ng:z \
    -e SSODOMAIN=domain.tld \
    -e PORTAL_HOSTNAME=auth.domain.tld \
    -e MANAGER_HOSTNAME=manager.domain.tld \
    -e HANDLER_HOSTNAME=handler.domain.tld \
    -e TEST1_HOSTNAME=test1.domain.tld \
    -e TEST2_HOSTNAME=test2.domain.tld \
    -e LOGLEVEL=debug \
    -e TZ="Country/City" \
    -e FASTCGI_LISTEN_PORT=9000 \
    -p 82:80  \
    docker.io/coudot/lemonldap-ng:latest

stephdl · November 16, 2024, 1:31pm

I am at the capitole du libre today, and I met some developers of the lemonldap software. Really interesting

They have made fusionIAM. A bundle of many tools

Shane_Treweek · November 19, 2024, 2:00am

now the next step is to make it run at boot i tried following slide 38 Run any service on NS8 but it failed after Run any service on NS8 slide 41
if anyone has any sugestions that would be great

@davidep

the steps i took

podman generate systemd -f \
     --no-header \
     --container-prefix '' \
     --new \
     4e9c949c5638

mv -vf \
     /home/scratchpad18/.config/state/4e9c949c5638fd8f770ed214adc2002f7a459e9f9d9ec6f6909189481e117219.service \
     ../systemd/user/4e9c949c5638.service

systemctl \
     --user enable --now 4e9c949c5638

and the error

× 4e9c949c5638.service - Podman 4e9c949c5638fd8f770ed214adc2002f7a459e9f9d9ec6f6909189481e117219.service
     Loaded: loaded (/home/scratchpad18/.config/systemd/user/4e9c949c5638.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Sun 2024-11-17 13:04:54 AEST; 23s ago
       Docs: man:podman-generate-systemd(1)
    Process: 137016 ExecStart=/usr/bin/podman run --cidfile=/run/user/1020/4e9c949c5638.service.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --detach --replace --name lemon>
    Process: 137049 ExecStopPost=/usr/bin/podman rm -f --ignore -t 10 --cidfile=/run/user/1020/4e9c949c5638.service.ctr-id (code=exited, status=0/SUCCESS)
   Main PID: 137016 (code=exited, status=126)
        CPU: 384ms

On the plus side without using systemd, simply rerunning the podman run script brings the system back to how it was before the restart so maybe I could just have that run on reboot somehow

Shane_Treweek · November 19, 2024, 2:10am

now i managed to get the systemd config working if i run the container as root not as scratchpad, however although it reboots fine it doesnt keep the config and starts as a fresh install (lemonldap)

–Update–
i just realised wht i did wrong

when issuing podman generate systemd --new --name lemonldap --new makes the system run the podman run script and replaces the old

so once i ran the cmd without --new i got it working ill post a how to soon

ill also try to see if i can replicate it in scratchpad as well

stephdl · November 19, 2024, 7:35am

when you are ready to go over a prototype you can start from GitHub - stephdl/ns8-kickstart-mariadb: NethServer 8 module template

or you could have here some examples on how to have a systemd service running from a pod

Shane_Treweek · November 20, 2024, 6:01am

untill i get a working module I’ve created a script that creates the following folders under /opt/lemonldap:
backups, apps, logos, logs, conf, etc and cache.
It then mounts them for use in the podmain container, next it asks you what port is free along with your country and city to set timezone variables.

Then it creates the systemd files and moves it to /etc/systemd/system/ns8-lemonldap.service and reloads systemd and enables ns8-lemonldap.service.

It also creats a script called ~/lemon_setup.sh and makes it executable, this script purges the conf, cache, etc and logs folders along with the systemd service file leaving the apps, logos and backgrounds folders, recreates the conf, cache, logs and etc folders and remounts them.

Then it reruns the podman run script with the answers you gave during setup and recreates the systemd service file and reenables it so it the installation starts fresh but the apps logos and backgrounds remain.

you can then load a config file from a backup in the manager.

Default login is
User: dwho
Password: dwho

ns8-lemonldap.sh

#!/bin/bash

read -p "What is the unbound port to run LemonLDAP-NG on?" 'port'

read -p "What is your Country?" 'country'

read -p "What is your City?" 'city'

mkdir -p /opt/lemonldap /opt/lemonldap/backrounds /opt/lemonldap/apps /opt/lemonldap/logos /opt/lemonldap/logs /opt/lemonldap/cache /opt/lemonldap/conf /opt/lemonldap/etc 

# chown root:root -R /opt/lemonldap /opt/lemonldap/backrounds /opt/lemonldap/apps /opt/lemonldap/logos /opt/lemonldap/logs /opt/lemonldap/cache /opt/lemonldap/conf /opt/lemonldap/etc

podman volume create \
      -o device=/opt/lemonldap/backrounds \
      -o=o=bind \
      backgrounds

podman volume create \
      -o device=/opt/lemonldap/conf \
      -o=o=bind \
      conf

podman volume create \
      -o device=/opt/lemonldap/logos \
      -o=o=bind \
      logos

podman volume create \
      -o device=/opt/lemonldap/apps \
      -o=o=bind \
      apps

podman volume create \
      -o device=/opt/lemonldap/logs \
      -o=o=bind \
      logs

podman volume create \
      -o device=/opt/lemonldap/cache \
      -o=o=bind \
      cache

podman volume create \
      -o device=/opt/lemonldap/etc \
      -o=o=bind \
      etc

podman run --detach --replace --name ns8-lemonldap \
    --volume=apps:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps:z \
    --volume=backgrounds:/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds:z \
    --volume=logos:/usr/share/lemonldap-ng/portal/htdocs/static/common/logos:z \
    --volume=conf:/var/lib/lemonldap-ng/conf:z \
    --volume=logs:/www/logs:z \
    --volume=etc:/etc/lemonldap-ng:z \
    --volume=cache:/var/cache/lemonldap-ng:z \
    -e SSODOMAIN=$domain \
    -e PORTAL_HOSTNAME=auth.$(hostname -d) \
    -e MANAGER_HOSTNAME=mymanager.$(hostname -d) \
    -e HANDLER_HOSTNAME=handler.$(hostname -d) \
    -e TEST1_HOSTNAME=test1.$(hostname -d) \
    -e TEST2_HOSTNAME=test2.$(hostname -d) \
    -e LOGLEVEL=debug \
    -e TZ="$country/$city" \
    -e FASTCGI_LISTEN_PORT=9000 \
    -p $port:80 \
    docker.io/coudot/lemonldap-ng:latest
wait

cat <<EOF >>~/lemon_setup.sh
#!/bin/sh
# Created on $(date )
rm -Rf /etc/systemd/system/lemonldap.service  /opt/container-ns8-lemonldap.service
podman volume rm -f etc conf cache logs

rm -Rf /opt/lemonldap/cache /opt/lemonldap/conf /opt/lemonldap/etc /opt/lemonldap/logs

mkdir -p /opt/lemonldap/cache /opt/lemonldap/conf /opt/lemonldap/etc /opt/lemonldap/logs
# chown root:root -R /opt/lemonldap/logs /opt/lemonldap/cache /opt/lemonldap/conf /opt/lemonldap/etc

podman volume create \
      -o device=/opt/lemonldap/conf \
      -o=o=bind \
      conf

podman volume create \
      -o device=/opt/lemonldap/cache \
      -o=o=bind \
      cache

podman volume create \
      -o device=/opt/lemonldap/etc \
      -o=o=bind \
      etc

podman volume create \
      -o device=/opt/lemonldap/logs \
      -o=o=bind \
      logs

podman run --detach --replace --name ns8-lemonldap \
    --volume=apps:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps:z \
    --volume=backgrounds:/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds:z \
    --volume=logos:/usr/share/lemonldap-ng/portal/htdocs/static/common/logos:z \
    --volume=conf:/var/lib/lemonldap-ng/conf:z \
    --volume=logs:/www/logs:z \
    --volume=etc:/etc/lemonldap-ng:z \
    --volume=cache:/var/cache/lemonldap-ng:z \
    -e SSODOMAIN=$domain \
    -e PORTAL_HOSTNAME=auth.$(hostname -d) \
    -e MANAGER_HOSTNAME=mymanager.$(hostname -d) \
    -e HANDLER_HOSTNAME=handler.$(hostname -d) \
    -e TEST1_HOSTNAME=test1.$(hostname -d) \
    -e TEST2_HOSTNAME=test2.$(hostname -d) \
    -e LOGLEVEL=debug \
    -e TZ="$country/$city" \
    -e FASTCGI_LISTEN_PORT=9000 \
    -p $port:80 \
    docker.io/coudot/lemonldap-ng:latest

podman generate systemd --name ns8-lemonldap -f > /etc/systemd/system/lemonldap.service
mv -vf \
         /opt/container-ns8-lemonldap.service \
         /etc/systemd/system/ns8-lemonldap.service
wait
podman stop ns8-lemonldap
systemctl daemon-reload
systemctl enable ns8-lemonldap.service
wait
systemctl start ns8-lemonldap
EOF

chmod +x ~/lemon_setup.sh

rm -Rf /opt/container-ns8-lemonldap.service /etc/systemd/system/lemonldap.service

podman generate systemd --name ns8-lemonldap -f > /etc/systemd/system/lemonldap.service
mv -vf \
         /opt/container-ns8-lemonldap.service \
         /etc/systemd/system/ns8-lemonldap.service
wait
podman stop ns8-lemonldap
systemctl daemon-reload
systemctl enable ns8-lemonldap.service
wait
api-cli run set-route --agent module/traefik1 --data - <<EOF
{
  "instance": "ns8auth",
  "url": "http://127.0.0.1:$port",
  "host": "auth.$(hostname -d)",
  "lets_encrypt": true,
  "http2https": true,
  "skip_cert_verify": false
}
EOF
wait
api-cli run set-route --agent module/traefik1 --data - <<EOF
{
  "instance": "ns8manager",
  "url": "http://127.0.0.1:$port",
  "host": "manager.$(hostname -d)",
  "lets_encrypt": true,
  "http2https": true,
  "skip_cert_verify": false
}
EOF
wait
systemctl start ns8-lemonldap


echo "LemonLDAP-NG has been installed please dont forget to setup the folowing http routes in NS8 1. add auth.$(hostname -d) as http://127.0.0.1:$port and manager.$(hostname -d) http://127.0.0.1:$port also select the options for lets encrypt and http to https"

echo " Once you have setup the http routes you should be able to access the portal at https://auth.$(hostname -d) and the manager at https://manager.$(hostname -d) "

Next steps for this script is:

auto propagating the ad/ldap details
~~Automating the http routes and let’s encrypt certificate~~
Backup

stephdl · November 20, 2024, 7:26pm

A root container is workable like you discovered but in short it is better to be rootless. It could be sometime a bit challenging but in term of security it is better

Your container has been hacked…no problem the concerns are limited to the user linux area in his /home

Relevant to the volume creation i think podman is able to create them automatically. No need to do it manually before to start container

If you follow the way of nethserver kickstart the route to traefik is done automatically by the UI and propagated to the API but it is a rootless container

Shane_Treweek · November 20, 2024, 10:02pm

I agree completely and that is the goal plus the lemon_setup.sh could be a systemd file on its own.

its a bit convoluted but in order to understand how all the system works (ie, podman systemd etc) is to get it working then to get it working as rootless and finally as a module.

i think ive got it working now in rootless without volumes

Using volumes for some reason didn’t work with systemd but thanks to @davidep How do you get ldap or samba details - #2 by davidep I should be able to auto generate the ad/ldap config part

stephdl · November 21, 2024, 6:07pm

available any time for help, ping me

Shane_Treweek · November 21, 2024, 9:39pm

Thank you I’ll definitely take you up on that offer once I get the ad/ldap config automation working what should be a simple mater of a bash script with an api-cli cmd piped to sed cmds similar to the original lemon_config.sh

stephdl · November 22, 2024, 6:11am

I think we have something really simpler with some python libraries

github.com

NethServer/ns8-sogo/blob/c024ac9c4ffee06565f4ba294694cf07d8a98ea1/imageroot/bin/discover-ldap#L16


      
          #
          
          #
          # Find settings for LDAP service
          #
          
          import os
          import sys
          import json
          import agent
          from agent.ldapproxy import Ldapproxy
          
          udomname = os.environ.get('LDAP_DOMAIN','')
          
          try:
              odom = Ldapproxy().get_domain(udomname)
              'host' in odom # Throw exception if odom is None
          except:
              # During restore the domain could be unavailable. Use a fallback
              # configuration, pointing to nowhere, just to set the variables.
              # Once the domain becomes available, the event will fix them.

Check also line 27 to 28

You need them in a rootless container to allow the bind to the ldapproxy port. In a rootfull container you do not need it

stephdl · November 22, 2024, 6:18am

Once the prototype or the proof of concept is done you should go to the module it will ease your life…for example to start the container, to write the route to traefik.

With the script you need to do each step. Obviously it could be done.

Do not be afraid of the UI stack it is not so hard and we have tons of example…for the backend you can start by writing directly the variables to the state/environment file and your container will get magically your settings

stephdl · November 22, 2024, 6:21am

This where we strore the environment vars to store the settings to the container

github.com

NethServer/ns8-sogo/blob/c024ac9c4ffee06565f4ba294694cf07d8a98ea1/imageroot/systemd/user/sogo-app.service#L13


      
          # SPDX-License-Identifier: GPL-3.0-or-later
          #
          
          [Unit]
          Description=Podman  sogo-app.service
          BindsTo=sogo.service
          After=sogo.service mariadb-app.service
          
          [Service]
          Environment=PODMAN_SYSTEMD_UNIT=%n
          EnvironmentFile=%S/state/environment
          EnvironmentFile=-%S/state/discovery_mail.env
          EnvironmentFile=-%S/state/discovery_ldap.env
          WorkingDirectory=%S/state
          Restart=always
          TimeoutStopSec=70
          ExecStartPre=/usr/bin/bash -c "/bin/mkdir -p {config,backups,templates}"
          ExecStartPre=/bin/rm -f %t/sogo-app.pid %t/sogo-app.ctr-id
          ExecStartPre=/usr/local/bin/runagent discover-service
          ExecStartPre=/usr/local/bin/runagent discover-ldap
          ExecStartPre=/usr/local/bin/runagent expand-configuration

And this is where we trigger the script to autodiscover the ldap settings

github.com

NethServer/ns8-sogo/blob/c024ac9c4ffee06565f4ba294694cf07d8a98ea1/imageroot/systemd/user/sogo-app.service#L22


      
          Environment=PODMAN_SYSTEMD_UNIT=%n
          EnvironmentFile=%S/state/environment
          EnvironmentFile=-%S/state/discovery_mail.env
          EnvironmentFile=-%S/state/discovery_ldap.env
          WorkingDirectory=%S/state
          Restart=always
          TimeoutStopSec=70
          ExecStartPre=/usr/bin/bash -c "/bin/mkdir -p {config,backups,templates}"
          ExecStartPre=/bin/rm -f %t/sogo-app.pid %t/sogo-app.ctr-id
          ExecStartPre=/usr/local/bin/runagent discover-service
          ExecStartPre=/usr/local/bin/runagent discover-ldap
          ExecStartPre=/usr/local/bin/runagent expand-configuration
          ExecStartPre=/usr/local/bin/runagent reveal-master-secret
          ExecStartPost=/usr/bin/bash -c "while ! /usr/bin/podman exec sogo-app /usr/bin/curl  http://127.0.0.1:20001/SOGo ; do sleep 3 ; done"
          ExecStart=/usr/bin/podman run --conmon-pidfile %t/sogo-app.pid \
              --cidfile %t/sogo-app.ctr-id --cgroups=no-conmon \
              --pod-id-file %t/sogo.pod-id --replace -d --name  sogo-app \
              --volume ./config/sogo.conf:/etc/sogo/sogo.conf:Z \
              --volume ./config/cron-sogo:/etc/cron.d/cron-sogo:Z \
              --volume ./config/sieve.creds:/etc/sogo/sieve.creds:Z \
              --volume ./config/SOGo.conf:/etc/httpd/conf/extra/SOGo.conf:Z \

And this is where we pass the file with the ldap settings

github.com

NethServer/ns8-sogo/blob/c024ac9c4ffee06565f4ba294694cf07d8a98ea1/imageroot/systemd/user/sogo-app.service#L15


      
          
          [Unit]
          Description=Podman  sogo-app.service
          BindsTo=sogo.service
          After=sogo.service mariadb-app.service
          
          [Service]
          Environment=PODMAN_SYSTEMD_UNIT=%n
          EnvironmentFile=%S/state/environment
          EnvironmentFile=-%S/state/discovery_mail.env
          EnvironmentFile=-%S/state/discovery_ldap.env
          WorkingDirectory=%S/state
          Restart=always
          TimeoutStopSec=70
          ExecStartPre=/usr/bin/bash -c "/bin/mkdir -p {config,backups,templates}"
          ExecStartPre=/bin/rm -f %t/sogo-app.pid %t/sogo-app.ctr-id
          ExecStartPre=/usr/local/bin/runagent discover-service
          ExecStartPre=/usr/local/bin/runagent discover-ldap
          ExecStartPre=/usr/local/bin/runagent expand-configuration
          ExecStartPre=/usr/local/bin/runagent reveal-master-secret
          ExecStartPost=/usr/bin/bash -c "while ! /usr/bin/podman exec sogo-app /usr/bin/curl  http://127.0.0.1:20001/SOGo ; do sleep 3 ; done"

After that you need to send each variables in the container with --env LDAP_* or each vatiable if you prefer (sometimes i prefer a systemd a bit longer but easy to understand)

In this example I did not need it because i build configuration files on the fly but it is particular

oneitonitram · January 9, 2025, 7:06am

@kemboielvis22 and @Shane_Treweek can we work out to get this into a functioning NS8 app.

Would help support NS7 users to migrate easily to NS8 if using LLNG

kemboielvis22 · January 9, 2025, 7:10am

i will take a look onto it

Shane_Treweek · January 13, 2025, 1:11am

Definitely my aim just trying to find the time is the main challenge at the moment

Update: I’ve managed to get scratchpad working (I think I’m still testing but I think it’s persistent) if my tests work it will mean a working rootless persistent container of LemonLDAP-NG (manual config of course if it works we can automate the rest)
Update 2.
I’ve fixed it and updated the details below all files are accessible via /opt/lemonldap/ (your can add any files but make sure you chown them correctly) thus step one is finished (the manual setup and persistence of data)
Update 3.
Added instructions for enabling restart via systemctl
Update 4.
I’ve changed the instructions to have the folders created directly under the scratchpad location for backup purposes and to remove the step for needing to chown the folders in the initial stage.

First set the http route

api-cli run set-route --agent module/traefik1 --data - <<EOF
{
  "instance": "myportal",
  "url": "http://127.0.0.1:<port>",
  "host": "myportal.$(hostname -d)",
  "lets_encrypt": true,
  "http2https": true,
  "skip_cert_verify": false
}
EOF
wait
api-cli run set-route --agent module/traefik1 --data - <<EOF
{
  "instance": "mymanager",
  "url": "http://127.0.0.1:<port>",
  "host": "mymanager.$(hostname -d)",
  "lets_encrypt": true,
  "http2https": true,
  "skip_cert_verify": false
}
EOF

Install scratchpad module.

add-module ghcr.io/davideprincipi/scratchpad:latest

Login to container.

runagent -m scratchpad<number_of_scratchpad_instance> bash -l

Create the Folders.
mkdir -p backgrounds apps logos logs cache conf etc
Create the volumes in scratchpad.

podman volume create \
      -o device=backgrounds \
      -o=o=bind \
      backgrounds

podman volume create \
      -o device=conf \
      -o=o=bind \
      conf

podman volume create \
      -o device=logos \
      -o=o=bind \
      logos

podman volume create \
      -o device=apps \
      -o=o=bind \
      apps

podman volume create \
      -o device=logs \
      -o=o=bind \
      logs

podman volume create \
      -o device=cache \
      -o=o=bind \
      cache

podman volume create \
      -o device=etc \
      -o=o=bind \
      etc

Run the lemonldap Podman script.

podman run --detach --name lemonldap \
    --volume=apps:/usr/share/lemonldap-ng/portal/htdocs/static/common/apps:rw,Z \
    --volume=backgrounds:/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds:rw,Z \
    --volume=logos:/usr/share/lemonldap-ng/portal/htdocs/static/common/logos:rw,Z \
    --volume=conf:/var/lib/lemonldap-ng/conf:rw,Z \
    --volume=logs:/www/logs:rw,Z \
    --volume=etc:/etc/lemonldap-ng:rw,Z \
    --volume=cache:/var/cache/lemonldap-ng:rw,Z \
    -e SSODOMAIN=$(hostname -d) \
    -e PORTAL_HOSTNAME=myportal.$(hostname -d) \
    -e MANAGER_HOSTNAME=mymanager.$(hostname -d) \
    -e HANDLER_HOSTNAME=myhandler.$(hostname -d) \
    -e TEST1_HOSTNAME=test1.$(hostname -d) \
    -e TEST2_HOSTNAME=test2.$(hostname -d) \
    -e LOGLEVEL=debug \
    -e TZ="<country/city>" \
    -e FASTCGI_LISTEN_PORT=9000 \
    -p <port>:80 \
    docker.io/coudot/lemonldap-ng:latest

make the service file to be able to restart service using systemd
(i.e., systemctl --user (re)start/stop lemonldap).

podman generate systemd -f \
--no-header \
--container-prefix '' \
lemonldap

mv -vf \
         <long .service file name from previous command>.service \
         ../systemd/user/lemonldap.service

Stop the service in Podman.

podman stop lemonldap

Reload system daemons and enable the service.

systemctl --user daemon-reload

systemctl --user enable lemonldap

Start LemonLDAP.

systemctl --user start lemonldap

– ~~need to update the instructions to include option for favicon (maybe even have just common folder instead of apps, backgrounds etc)~~
just need to add your favicon to logos folder and change favicon path in manager to common/logos/favicon.ico
– add steps to auto add ldap/ad via instructions from stephdl

I will have to work out the backup process as I think backing up the scratchpad module only backups up the initial install of scratchpad

Shane_Treweek · January 20, 2025, 12:47am

On my wish list for this module (this is a roadmap that is ambitious but what I hope would be part of a finished module)

Use folders inside the scratchpad module instead of/opt/lemonldap for security and backup purposes.
Inside module settings on cluster admin have the following options.

Option to select AD/LDAP.
Option to set portal/manager name and port (which would then trigger setting http route and edit ini and conf files accordingly).
Option to select domain or have it populated based on AD/LDAP Selection.
Option to upload logo which would then correct the permissions and alter conf.
Option to upload background which would then correct the permissions and alter conf.
Option to download latest conf file.
Option to add apps icons and correct permissions.
Option to select SAML integration for specific apps and automate it or at least create a walkthrough to set it up.
Option to restore using config file.

kemboielvis22 · January 20, 2025, 4:11am

Great

stephdl · March 11, 2025, 12:20pm

may I help you Shane I think I have some free time actually