3. Enterprise Authentication using the Docker Image

Rocketgraph’s xGT Docker image can be configured to use an LDAP directory server running on a customer’s network. The host system running Docker must be configured appropriately to be an LDAP client. A common configuration is to use the FreeIPA framework for both servers and clients: https://www.freeipa.org.

If the host system has been configured as a FreeIPA client, then a simple approach to enable xGT inside a Docker image to use the FreeIPA LDAP server for authentication is the following:

When running the xGT image mount the following volumes (only the pam and sss volumes are required for LDAP, conf and xgtlog are convenient):

docker run --detach --publish=4367:4367 --volume=$PWD/data:/data
           --volume=$PWD/conf:/conf --volume=$PWD/xgtlog:/var/log/xgtd
           --volume=$PWD/pam:/etc/pam.d
           --volume=/var/lib/sss:/var/lib/sss rocketgraph/xgt

In the mounted pam directory modify the xgtd file to:

#
# /etc/pam.d/xgtd - specify the PAM behavior for xgtd
#

auth       required     pam_sss.so
account    required     pam_sss.so
session    required     pam_sss.so

The xGT Docker image must be restarted after making these changes.

Mounting the /var/lib/sss volume on the same location inside the Docker image enables xGT to use the pam_sss module to connect to the sssd daemon running on the host without requiring extra services running inside the Docker image.

For more details on LDAP authentication, IPA and SSSD see LDAP User Password Authentication.