Ping Identity DevOps Docker Image - `pingdirectoryproxy`

This docker image includes the Ping Identity PingDirectoryProxy product binaries and associated hook scripts to create and run a PingDirectoryProxy instance or instances.

pingidentity/pingbase - Parent Image

This image inherits inherits, and can use, Environment Variables from pingidentity/pingbase
pingidentity/pingdatacommon - Common Ping files (i.e. hook scripts)\

Environment Variables

In addition to environment variables inherited from pingidentity/pingbase, the following environment ENV variables can be used with this image.

ENV Variable Default Description

ENV Variable	Default	Description
SHIM	${SHIM}
IMAGE_VERSION	${IMAGE_VERSION}
IMAGE_GIT_REV	${IMAGE_GIT_REV}
DATE	${DATE}
PING_PRODUCT_VERSION	${VERSION}
PING_PRODUCT	PingDirectoryProxy	Ping product name
LICENSE_FILE_NAME	PingDirectory.lic	Name of license File
LICENSE_DIR	${PD_LICENSE_DIR}	PD License directory. This value is set from the pingbase docker file
LICENSE_SHORT_NAME	PD	Short name used when retrieving license from License Server
LICENSE_VERSION	${LICENSE_VERSION}	Version used when retrieving license from License Server
ADMIN_USER_NAME	admin	Replication administrative user
STARTUP_COMMAND	${SERVER_ROOT_DIR}/bin/start-server	The command that the entrypoint will execute in the foreground to instantiate the container
PD_DELEGATOR_PUBLIC_HOSTNAME	localhost	Public hostname of the DA app
STARTUP_FOREGROUND_OPTS	--nodetach	The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container
STARTUP_BACKGROUND_OPTS		The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container
ROOT_USER_PASSWORD_FILE		Location of file with the root user password (i.e. cn=directory manager). Defaults to /SECRETS_DIR/root-user-password
KEYSTORE_FILE		Location of the keystore file containing the server certificate. If left undefined, the SECRETS_DIR will be checked for a keystore. If that keystore does not exist, the server will generate a self-signed certificate.
KEYSTORE_PIN_FILE		Location of the pin file for the keystore defined in KEYSTORE_FILE. You must specify a KEYSTORE_PIN_FILE when a KEYSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a self-signed certificate.
KEYSTORE_TYPE		Format of the keystore defined in KEYSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the keystore format will be inferred based on the file extension of the KEYSTORE_FILE, defaulting to "jks".
TRUSTSTORE_FILE		Location of the truststore file for the server. If left undefined, the SECRETS_DIR will be checked for a truststore. If that truststore does not exist, the server will generate a truststore, containing its own certificate.
TRUSTSTORE_PIN_FILE		Location of the pin file for the truststore defined in TRUSTSTORE_FILE. You must specify a TRUSTSTORE_PIN_FILE when a TRUSTSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a truststore.
TRUSTSTORE_TYPE		Format of the truststore defined in TRUSTSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the truststore format will be inferred based on the file extension of the TRUSTSTORE_FILE, defaulting to "jks".
TAIL_LOG_FILES	${SERVER_ROOT_DIR}/logs/access ${SERVER_ROOT_DIR}/logs/errors ${SERVER_ROOT_DIR}/logs/failed-ops ${SERVER_ROOT_DIR}/logs/config-audit.log ${SERVER_ROOT_DIR}/logs/tools/.log ${SERVER_BITS_DIR}/logs/tools/.log	Files tailed once container has started
PD_PROFILE	${STAGING_DIR}/pd.profile	Directory for the profile used by the PingData manage-profile tool
UNBOUNDID_SKIP_START_PRECHECK_NODETACH	true	Setting this variable to true speeds up server startup time by skipping an unnecessary JVM check.
CERTIFICATE_NICKNAME		There is an additional certificate-based variable used to identity the certificate alias used within the `KEYSTORE_FILE`. That variable is called `CERTIFICATE_NICKNAME`, which identifies the certificate to use by the server in the `KEYSTORE_FILE`. If a value is not provided, the container will look at the list certs found in the `KEYSTORE_FILE` and if one - and only one - certificate is found of type `PrivateKeyEntry`, that alias will be used.
RETRY_TIMEOUT_SECONDS	180	The default retry timeout in seconds for manage-topology and remove-defunct-server
PINGDIRECTORY_HOSTNAME		Set this variable to configure Proxy for automatic server discovery with PingDirectory hostname JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_HOSTNAME to take effect
PINGDIRECTORY_LDAPS_PORT		Set this variable to configure Proxy for automatic server discovery with PingDirectory LDAPS port JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_LDAPS_PORT to take effect
JOIN_PD_TOPOLOGY	false	Setting this variable to true will configure proxy to join the topology of PingDirectory
COLUMNS	120	Sets the number of columns in PingDirectoryProxy command-line tool output

SHIM

${SHIM}

IMAGE_VERSION

${IMAGE_VERSION}

IMAGE_GIT_REV

${IMAGE_GIT_REV}

DATE

${DATE}

PING_PRODUCT_VERSION

${VERSION}

PING_PRODUCT

PingDirectoryProxy

Ping product name

LICENSE_FILE_NAME

PingDirectory.lic

Name of license File

LICENSE_DIR

${PD_LICENSE_DIR}

PD License directory. This value is set from the pingbase docker file

LICENSE_SHORT_NAME

Short name used when retrieving license from License Server

LICENSE_VERSION

${LICENSE_VERSION}

Version used when retrieving license from License Server

ADMIN_USER_NAME

admin

Replication administrative user

STARTUP_COMMAND

${SERVER_ROOT_DIR}/bin/start-server

The command that the entrypoint will execute in the foreground to instantiate the container

PD_DELEGATOR_PUBLIC_HOSTNAME

localhost

Public hostname of the DA app

STARTUP_FOREGROUND_OPTS

--nodetach

The command-line options to provide to the the startup command when the container starts with the server in the foreground. This is the normal start flow for the container

STARTUP_BACKGROUND_OPTS

The command-line options to provide to the the startup command when the container starts with the server in the background. This is the debug start flow for the container

ROOT_USER_PASSWORD_FILE

Location of file with the root user password (i.e. cn=directory manager). Defaults to /SECRETS_DIR/root-user-password

KEYSTORE_FILE

Location of the keystore file containing the server certificate. If left undefined, the SECRETS_DIR will be checked for a keystore. If that keystore does not exist, the server will generate a self-signed certificate.

KEYSTORE_PIN_FILE

Location of the pin file for the keystore defined in KEYSTORE_FILE. You must specify a KEYSTORE_PIN_FILE when a KEYSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a self-signed certificate.

KEYSTORE_TYPE

Format of the keystore defined in KEYSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the keystore format will be inferred based on the file extension of the KEYSTORE_FILE, defaulting to "jks".

TRUSTSTORE_FILE

Location of the truststore file for the server. If left undefined, the SECRETS_DIR will be checked for a truststore. If that truststore does not exist, the server will generate a truststore, containing its own certificate.

TRUSTSTORE_PIN_FILE

Location of the pin file for the truststore defined in TRUSTSTORE_FILE. You must specify a TRUSTSTORE_PIN_FILE when a TRUSTSTORE_FILE is present. This value does not need to be defined when allowing the server to generate a truststore.

TRUSTSTORE_TYPE

Format of the truststore defined in TRUSTSTORE_FILE. One of "jks", "pkcs12", "pem", or "bcfks" (in FIPS mode). If not defined, the truststore format will be inferred based on the file extension of the TRUSTSTORE_FILE, defaulting to "jks".

TAIL_LOG_FILES

${SERVER_ROOT_DIR}/logs/access ${SERVER_ROOT_DIR}/logs/errors ${SERVER_ROOT_DIR}/logs/failed-ops ${SERVER_ROOT_DIR}/logs/config-audit.log ${SERVER_ROOT_DIR}/logs/tools/.log ${SERVER_BITS_DIR}/logs/tools/.log

Files tailed once container has started

PD_PROFILE

${STAGING_DIR}/pd.profile

Directory for the profile used by the PingData manage-profile tool

UNBOUNDID_SKIP_START_PRECHECK_NODETACH

true

Setting this variable to true speeds up server startup time by skipping an unnecessary JVM check.

CERTIFICATE_NICKNAME

There is an additional certificate-based variable used to identity the certificate alias used within the KEYSTORE_FILE. That variable is called CERTIFICATE_NICKNAME, which identifies the certificate to use by the server in the KEYSTORE_FILE. If a value is not provided, the container will look at the list certs found in the KEYSTORE_FILE and if one - and only one - certificate is found of type PrivateKeyEntry, that alias will be used.

RETRY_TIMEOUT_SECONDS

180

The default retry timeout in seconds for manage-topology and remove-defunct-server

PINGDIRECTORY_HOSTNAME

Set this variable to configure Proxy for automatic server discovery with PingDirectory hostname JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_HOSTNAME to take effect

PINGDIRECTORY_LDAPS_PORT

Set this variable to configure Proxy for automatic server discovery with PingDirectory LDAPS port JOIN_PD_TOPOLOGY must be enabled for PINGDIRECTORY_LDAPS_PORT to take effect

JOIN_PD_TOPOLOGY

false

Setting this variable to true will configure proxy to join the topology of PingDirectory

COLUMNS

120

Sets the number of columns in PingDirectoryProxy command-line tool output

Ports Exposed

The following ports are exposed from the container. If a variable is used, then it may come from a parent container

${LDAP_PORT}
${LDAPS_PORT}
${HTTPS_PORT}
${JMX_PORT}

Running a PingDirectoryProxy container

The easiest way to test test a simple standalone image of PingDirectoryProxy is to cut/paste the following command into a terminal on a machine with docker.

 docker exec -it pingdirectoryproxy \
        /opt/out/instance/bin/searchrate \
                -b dc=example,dc=com \
                --scope sub \
                --filter "(uid=user.[1-9])" \
                --attribute mail \
                --numThreads 2 \
                --ratePerSecond 100

You can view the Docker logs with the command:

 docker logs -f pingdirectoryproxy

You should see the output from a PingDirectoryProxy install and configuration, ending with a message the the PingDirectoryProxy has started. After it starts, you will see some typical access logs. Simply Ctrl-C after to stop tailing the logs.

Running a sample 100/sec search rate test

With the PingDirectoryProxy running from the previous section, you can run a searchrate job that will send load to the directory at a rate if 100/sec using the following command.

 docker exec -it pingdirectoryproxy \
        /opt/out/instance/bin/searchrate \
                -b dc=example,dc=com \
                --scope sub \
                --filter "(uid=user.[1-9])" \
                --attribute mail \
                --numThreads 2 \
                --ratePerSecond 100

Connecting with an LDAP Client

Connect an LDAP Client (such as Apache Directory Studio) to this container using the default ports and credentials


LDAP Port	1389
LDAP Base DN	dc=example,dc=com
Root Username	cn=administrator
Root Password	2FederateM0re

LDAP Port

1389

LDAP Base DN

dc=example,dc=com

Root Username

cn=administrator

Root Password

2FederateM0re

Stopping/Removing the container

To stop the container:

 docker container stop pingdirectoryproxy

To remove the container:

 docker container rm -f pingdirectoryproxy

Docker Container Hook Scripts

Please go here for details on all pingdirectoryproxy hook scripts

This document is auto-generated from pingdirectoryproxy/Dockerfile