Complete guide for setting up OpenLDAP authentication with TAK Server using Docker.
This guide shows how to set up OpenLDAP in Docker for TAK Server authentication, allowing centralized user management instead of managing individual certificates.
- TAK Server 5.5 installed and running
- Docker and Docker Compose installed
- Ubuntu 24.04 LTS (or similar Linux distribution)
# Create directory
mkdir -p ~/openldap-docker
cd ~/openldap-docker
# Create docker-compose.yml (see below)Create docker-compose.yml:
version: '3.8'
services:
openldap:
image: osixia/openldap:1.5.0
container_name: openldap
hostname: openldap
restart: unless-stopped
environment:
LDAP_ORGANISATION: "TAK Organization"
LDAP_DOMAIN: "tak.local"
LDAP_ADMIN_PASSWORD: "admin123"
LDAP_CONFIG_PASSWORD: "config123"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_ENFORCE: "false"
ports:
- "389:389"
- "636:636"
volumes:
- openldap-data:/var/lib/ldap
- openldap-config:/etc/ldap/slapd.d
- openldap-certs:/container/service/slapd/assets/certs/
networks:
- ldap-network
phpldapadmin:
image: osixia/phpldapadmin:0.9.0
container_name: phpldapadmin
hostname: phpldapadmin
restart: unless-stopped
environment:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "8080:80"
depends_on:
- openldap
networks:
- ldap-network
volumes:
openldap-data:
name: openldap-data
openldap-config:
name: openldap-config
openldap-certs:
name: openldap-certs
networks:
ldap-network:
name: ldap-network
driver: bridgeCreate bootstrap.ldif:
# Create Organizational Units
dn: ou=people,dc=tak,dc=local
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=tak,dc=local
objectClass: organizationalUnit
ou: groups
# Create Groups
dn: cn=tak-users,ou=groups,dc=tak,dc=local
objectClass: groupOfNames
cn: tak-users
description: TAK Users Group
member: cn=admin,dc=tak,dc=local
dn: cn=tak-admins,ou=groups,dc=tak,dc=local
objectClass: groupOfNames
cn: tak-admins
description: TAK Administrators Group
member: cn=admin,dc=tak,dc=local
# Create Users
dn: cn=john.doe,ou=people,dc=tak,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: john.doe
sn: Doe
givenName: John
uid: john.doe
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/john.doe
loginShell: /bin/bash
mail: john.doe@tak.local
userPassword: password123
description: TAK User - John Doe
dn: cn=jane.smith,ou=people,dc=tak,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: jane.smith
sn: Smith
givenName: Jane
uid: jane.smith
uidNumber: 10002
gidNumber: 10002
homeDirectory: /home/jane.smith
loginShell: /bin/bash
mail: jane.smith@tak.local
userPassword: password123
description: TAK Administrator - Jane Smith
# Start containers
docker compose up -d
# Wait for startup (about 10 seconds)
sleep 10
# Import bootstrap data
docker cp bootstrap.ldif openldap:/tmp/bootstrap.ldif
docker exec openldap ldapadd -x -D "cn=admin,dc=tak,dc=local" -w admin123 -f /tmp/bootstrap.ldif
# Verify import
docker exec openldap ldapsearch -x -b "dc=tak,dc=local" -D "cn=admin,dc=tak,dc=local" -w admin123 | grep "dn:"- Open TAK Server web UI: https://YOUR_SERVER_IP:8443
- Navigate to Settings → Security
- Scroll to Authentication Configuration (LDAP)
- Fill in:
- URL:
ldap://YOUR_SERVER_IP:389 - User String:
ou=people,dc=tak,dc=local - Service Account DN:
cn=admin,dc=tak,dc=local - Service Account Password:
admin123 - Group Base RDN:
ou=groups,dc=tak,dc=local - Group Prefix:
cn= - Update Interval:
600000
- URL:
- Click "Test Service Account" - should show success
- Click "Save"
TAK Server will automatically reload the configuration.
- URL: http://localhost:8080
- Login DN:
cn=admin,dc=tak,dc=local - Password:
admin123
- URL: https://YOUR_SERVER_IP:8443
- Use admin certificate (admin.p12) for access
| Username | Password | DN | |
|---|---|---|---|
| john.doe | password123 | john.doe@tak.local | cn=john.doe,ou=people,dc=tak,dc=local |
| jane.smith | password123 | jane.smith@tak.local | cn=jane.smith,ou=people,dc=tak,dc=local |
- Open http://localhost:8080
- Login with admin credentials
- Navigate to
ou=people,dc=tak,dc=local - Click "Create new entry here"
- Select template: "Generic: User Account"
- Fill in user details:
- Common Name (cn): username
- Surname (sn): Last name
- Given Name: First name
- User ID (uid): username
- Email: user@tak.local
- Password: (set password)
- Click "Create Object"
Create newuser.ldif:
dn: cn=new.user,ou=people,dc=tak,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: new.user
sn: User
givenName: New
uid: new.user
uidNumber: 10003
gidNumber: 10003
homeDirectory: /home/new.user
loginShell: /bin/bash
mail: new.user@tak.local
userPassword: password123
description: New TAK User
Import:
docker exec -i openldap ldapadd -x -D "cn=admin,dc=tak,dc=local" -w admin123 < newuser.ldifdocker exec openldap ldapsearch -x -b "ou=people,dc=tak,dc=local" -D "cn=admin,dc=tak,dc=local" -w admin123docker exec openldap ldapwhoami -x -D "cn=john.doe,ou=people,dc=tak,dc=local" -w password123When connecting a TAK client:
- Server Address: YOUR_SERVER_IP
- Port: 8089
- Protocol: TLS
- Authentication: Username/Password
- Username:
john.doe - Password:
password123
No certificate needed - LDAP handles authentication.
# Start OpenLDAP
cd ~/openldap-docker
docker compose up -d
# Stop OpenLDAP
docker compose down
# View logs
docker compose logs -f openldap
# Restart after changes
docker compose restart openldap
# Check status
docker compose ps# Test basic connection
ldapsearch -x -H ldap://localhost:389 -b "dc=tak,dc=local" -D "cn=admin,dc=tak,dc=local" -w admin123
# Test user authentication
docker exec openldap ldapwhoami -x -D "cn=john.doe,ou=people,dc=tak,dc=local" -w password123-
Check TAK Server logs:
sudo tail -f /opt/tak/logs/takserver-messaging.log | grep -i ldap sudo tail -f /opt/tak/logs/takserver-api.log | grep -i ldap
-
Verify LDAP is running:
docker compose ps
-
Test from TAK Server host:
ldapsearch -x -H ldap://localhost:389 -b "dc=tak,dc=local" -D "cn=admin,dc=tak,dc=local" -w admin123
# WARNING: This deletes all LDAP data!
docker compose down -v
docker compose up -d
# Re-import bootstrap.ldif# Backup all entries
docker exec openldap slapcat -v -l ~/ldap-backup-$(date +%Y%m%d).ldif
# Backup specific OU
docker exec openldap ldapsearch -x -b "ou=people,dc=tak,dc=local" -D "cn=admin,dc=tak,dc=local" -w admin123 > ~/ldap-users-backup-$(date +%Y%m%d).ldif# Stop OpenLDAP
docker compose down
# Clear old data
docker volume rm openldap-data
# Start fresh
docker compose up -d
sleep 10
# Restore from backup
docker exec -i openldap slapadd < ~/ldap-backup-YYYYMMDD.ldif
# Restart
docker compose restart openldapThis is a TEST/DEVELOPMENT setup!
For production:
-
Change default passwords:
- Admin password in docker-compose.yml
- User passwords from
password123
-
Use LDAPS (port 636):
- Configure SSL certificates
- Update TAK Server URL to
ldaps://
-
Restrict network access:
# Firewall rules sudo ufw allow from 192.168.0.0/24 to any port 389 sudo ufw deny 389 -
Strong passwords:
- Enforce password complexity
- Set password expiration policies
-
Regular backups:
- Automate LDAP backups
- Test restore procedures
dn: cn=tak-admins,ou=groups,dc=tak,dc=local
changetype: modify
add: member
member: cn=john.doe,ou=people,dc=tak,dc=local
Apply:
docker exec -i openldap ldapmodify -x -D "cn=admin,dc=tak,dc=local" -w admin123 < add-to-group.ldifVia phpLDAPadmin:
- Navigate to user
- Click "Password" link
- Enter new password
- Click "Update Password"
Via command line:
docker exec openldap ldappasswd -x -D "cn=admin,dc=tak,dc=local" -w admin123 -s newpassword123 "cn=john.doe,ou=people,dc=tak,dc=local"In TAK Server web UI:
- Go to Settings → Groups
- Map LDAP groups to TAK permissions:
tak-admins→ Full admin accesstak-users→ Standard user access
- Users in LDAP groups automatically get corresponding TAK permissions
dc=tak,dc=local
├── ou=people (users)
│ ├── cn=john.doe
│ ├── cn=jane.smith
│ └── (other users)
└── ou=groups
├── cn=tak-users
└── cn=tak-admins
| Service | Username/DN | Password |
|---|---|---|
| LDAP Admin | cn=admin,dc=tak,dc=local | admin123 |
| LDAP Config | cn=admin,cn=config | config123 |
| Test User 1 | john.doe | password123 |
| Test User 2 | jane.smith | password123 |
| Port | Service | Protocol |
|---|---|---|
| 389 | LDAP | TCP |
| 636 | LDAPS | TCP/SSL |
| 8080 | phpLDAPadmin | HTTP |
| 8089 | TAK Server | TLS |
| 8443 | TAK Server Web UI | HTTPS |
- ✅ Change default passwords
- ✅ Add real users via phpLDAPadmin
- ✅ Test authentication from TAK client
- ✅ Configure group-based permissions
- ✅ Set up regular backups
- ✅ Consider LDAPS for production
- OpenLDAP Documentation: https://www.openldap.org/doc/
- phpLDAPadmin: http://phpldapadmin.sourceforge.net/
- TAK Server Documentation: https://tak.gov
For issues:
- Check logs:
docker compose logs openldap - Verify connectivity: Test LDAP connection from TAK Server host
- Review TAK Server logs for LDAP errors
Status: Development/Testing Setup Security Level: Low (change passwords for production!) Tested On: Ubuntu 24.04 LTS with TAK Server 5.5-RELEASE-58