Ping Identity DevOps Docker Image - pingdirectoryproxy ¶
This docker image includes the Ping Identity PingDirectoryProxy product binaries and associated hook scripts to create and run a PingDirectoryProxy instance or instances.
Related Docker Images ¶
pingidentity/pingbase- Parent ImageThis image inherits, and can use, Environment Variables from pingidentity/pingbase
pingidentity/pingdatacommon- Common Ping files (i.e. hook scripts)\
Environment Variables ¶
In addition to environment variables inherited from pingidentity/pingbase,
the following environment ENV variables can be used with
this image.
| ENV Variable | Default | Description |
|---|---|---|
| SHIM | ${SHIM} | |
| IMAGE_VERSION | ${IMAGE_VERSION} | |
| IMAGE_GIT_REV | ${IMAGE_GIT_REV} | |
| DATE | ${DATE} | |
| PING_PRODUCT_VERSION | ${VERSION} | |
| PING_PRODUCT | PingDirectoryProxy | Ping product name |
| LICENSE_FILE_NAME | PingDirectory.lic | Name of license File |
| LICENSE_DIR | ${PD_LICENSE_DIR} | PD License directory. This value is set from the pingbase docker file |
| LICENSE_SHORT_NAME | PD | Short name used when retrieving license from License Server |
| LICENSE_VERSION | ${LICENSE_VERSION} | Version used when retrieving license from License Server |
| ADMIN_USER_NAME | admin | Replication administrative user |
| STARTUP_COMMAND | ${SERVER_ROOT_DIR}/bin/start-server | The command that the entrypoint will execute in the foreground to instantiate the container |
| PD_DELEGATOR_PUBLIC_HOSTNAME | localhost | Public hostname of the DA app |
| STARTUP_FOREGROUND_OPTS | --nodetach | The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container |
| STARTUP_BACKGROUND_OPTS | The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container | |
| ROOT_USER_PASSWORD_FILE | Location of file with the root user password (i.e. cn=directory manager). Defaults to /SECRETS_DIR/root-user-password | |
| KEYSTORE_FILE | Location of the keystore file containing the server certificate. If left undefined, the SECRETS_DIR will be checked for a keystore. If that keystore does not exist, the server will generate a self-signed certificate. | |
| KEYSTORE_PIN_FILE | Location of the pin file for the keystore defined in KEYSTORE_FILE. You must specify a KEYSTORE_PIN_FILE when a KEYSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a self-signed certificate. | |
| KEYSTORE_TYPE | Format of the keystore defined in KEYSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the keystore format will be inferred based on the file extension of the KEYSTORE_FILE, defaulting to "jks". | |
| TRUSTSTORE_FILE | Location of the truststore file for the server. If left undefined, the SECRETS_DIR will be checked for a truststore. If that truststore does not exist, the server will generate a truststore, containing its own certificate. | |
| TRUSTSTORE_PIN_FILE | Location of the pin file for the truststore defined in TRUSTSTORE_FILE. You must specify a TRUSTSTORE_PIN_FILE when a TRUSTSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a truststore. | |
| TRUSTSTORE_TYPE | Format of the truststore defined in TRUSTSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the truststore format will be inferred based on the file extension of the TRUSTSTORE_FILE, defaulting to "jks". | |
| TAIL_LOG_FILES | ${SERVER_ROOT_DIR}/logs/access ${SERVER_ROOT_DIR}/logs/errors ${SERVER_ROOT_DIR}/logs/failed-ops ${SERVER_ROOT_DIR}/logs/config-audit.log ${SERVER_ROOT_DIR}/logs/tools/.log ${SERVER_BITS_DIR}/logs/tools/.log | Files tailed once container has started |
| PD_PROFILE | ${STAGING_DIR}/pd.profile | Directory for the profile used by the PingData manage-profile tool |
| UNBOUNDID_SKIP_START_PRECHECK_NODETACH | true | Setting this variable to true speeds up server startup time by skipping an unnecessary JVM check. |
| CERTIFICATE_NICKNAME | There is an additional certificate-based variable used to identity the certificate alias used within the KEYSTORE_FILE. That variable is called CERTIFICATE_NICKNAME, which identifies the certificate to use by the server in the KEYSTORE_FILE. If a value is not provided, the container will look at the list certs found in the KEYSTORE_FILE and if one - and only one - certificate is found of type PrivateKeyEntry, that alias will be used. |
|
| RETRY_TIMEOUT_SECONDS | 180 | The default retry timeout in seconds for manage-topology and remove-defunct-server |
| PINGDIRECTORY_HOSTNAME | Set this variable to configure Proxy for automatic server discovery with PingDirectory hostname JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_HOSTNAME to take effect | |
| PINGDIRECTORY_LDAPS_PORT | Set this variable to configure Proxy for automatic server discovery with PingDirectory LDAPS port JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_LDAPS_PORT to take effect | |
| JOIN_PD_TOPOLOGY | false | Setting this variable to true will configure proxy to join the topology of PingDirectory |
| COLUMNS | 120 | Sets the number of columns in PingDirectoryProxy command-line tool output |
Ports Exposed ¶
The following ports are exposed from the container. If a variable is used, then it may come from a parent container
- ${LDAP_PORT}
- ${LDAPS_PORT}
- ${HTTPS_PORT}
- ${JMX_PORT}
Running a PingDirectoryProxy container ¶
The easiest way to test test a simple standalone image of PingDirectoryProxy is to cut/paste the following command into a terminal on a machine with docker.
docker run \
--name pingdirectoryproxy \
--publish 1389:1389 \
--publish 8443:1443 \
--detach \
--env SERVER_PROFILE_URL=https://github.com/pingidentity/pingidentity-server-profiles.git \
--env SERVER_PROFILE_PATH=baseline/pingdirectoryproxy \
--env PING_IDENTITY_ACCEPT_EULA=YES \
--env PING_IDENTITY_DEVOPS_USER \
--env PING_IDENTITY_DEVOPS_KEY \
--tmpfs /run/secrets \
pingidentity/pingdirectoryproxy:edge
You can view the Docker logs with the command:
docker logs -f pingdirectoryproxy
You should see the output from a PingDirectoryProxy install and configuration, ending with a message the the PingDirectoryProxy has started. After it starts, you will see some typical access logs. Simply Ctrl-C after to stop tailing the logs.
Running a sample 100/sec search rate test ¶
With the PingDirectoryProxy running from the previous section, you can run a searchrate job that will send load to the directory at a rate if 100/sec using the following command.
docker exec -it pingdirectoryproxy \
/opt/out/instance/bin/searchrate \
-b dc=example,dc=com \
--scope sub \
--filter "(uid=user.[1-9])" \
--attribute mail \
--numThreads 2 \
--ratePerSecond 100
Connecting with an LDAP Client ¶
Connect an LDAP Client (such as Apache Directory Studio) to this container using the default ports and credentials
| LDAP Port | 1389 |
| LDAP Base DN | dc=example,dc=com |
| Root Username | cn=administrator |
| Root Password | 2FederateM0re |
Stopping/Removing the container ¶
To stop the container:
docker container stop pingdirectoryproxy
To remove the container:
docker container rm -f pingdirectoryproxy
Docker Container Hook Scripts ¶
Please go here for details on all pingdirectoryproxy hook scripts
This document is auto-generated from pingdirectoryproxy/Dockerfile
Copyright © 2024 Ping Identity Corporation. All rights reserved.