Skip to content

ADR-006: OpenLDAP Image Migration: bitnamilegacy → nfrastack

Status

Accepted. Implemented 2026-02-27.

Context

The LDAP stack was running bitnamilegacy/openldap:2, a legacy Bitnami image with no security updates. Additionally, the Kopano decommissioning (ADR-005) required purging all Kopano-specific LDAP schema data. A custom Dockerfile was also needed to enable the memberOf overlay — requiring a maintained image that has it compiled in.

Decision

Migrate to nfrastack/openldap:2.6 (renamed from tiredofit/docker-openldap).

Warning: tiredofit/openldap:latest is frozen and crashes on startup — use nfrastack/openldap:2.6.

Combined into one maintenance window: 1. Image replacement (bitnami legacy → nfrastack) 2. Kopano schema cleanup (strip all kopano* attrs via scripts/clean-kopano-ldif.py) 3. Custom Dockerfile removed (memberOf is compiled-in, no env var needed)

Port changed from 1389 (bitnami non-root) to 389 (standard). All consumers updated.

Consequences

  • ✅ Actively maintained Alpine-based image with security updates
  • ✅ memberOf overlay compiled-in, no custom image build needed
  • ✅ Directory cleaned of Kopano cruft, reduced consumers
  • ⚠️ Volume format incompatible — full export/import required (breaking change)
  • ⚠️ init: true must NOT be set (breaks s6-overlay PID 1)
  • ⚠️ TLS_CREATE_SELFSIGNED=FALSE required when using external Step-CA certs
  • 🔗 See: services/identity.md for configuration details, pitfalls, and post-cert.sh UID (165925)