"Users can come from anywhere: Active Directory, LDAP, Crowd itself, or any mix thereof. Control permissions to all your applications in one place – Atlassian, Subversion, Google Apps, or your own apps." - [Source]
Version | Tags | Dockerfile |
---|---|---|
3.3.5 | 3.3.5, latest | Dockerfile |
Older tags remain but are not supported/rebuild.
You may also like:
- blacklabelops/jira: The #1 software development tool used by agile teams
- blacklabelops/confluence: Create, organize, and discuss work with your team
- blacklabelops/bitbucket: Code, Manage, Collaborate
- blacklabelops/crowd: Identity management for web apps
Docker-Compose:
$ curl -O https://raw.githubusercontent.com/blacklabelops/crowd/master/docker-compose.yml
$ docker-compose up -d
Crowd will be available at http://yourdockerhost:8095
Docker-CLI:
Just type and follow the manual installation procedure in your browser:
$ docker run -d -p 8095:8095 --name crowd blacklabelops/crowd
Point your browser to http://yourdockerhost:8095
- Start database server for Crowd.
- Start Crowd.
- Manual Crowd setup.
Firstly, start the database server for Crowd:
Note: Change Password!
$ docker run --name postgres_crowd -d \
-e 'POSTGRES_DB=crowddb' \
-e 'POSTGRES_USER=crowddb' \
-e 'POSTGRES_PASSWORD=jellyfish' \
blacklabelops/postgres
Secondly, start Crowd:
$ docker run -d --name crowd \
--link postgres_crowd:postgres_crowd \
-p 8095:8095 blacklabelops/crowd
Starts Crowd and links it to the postgresql instances. JDBC URL: jdbc:postgresql://postgres_crowd/crowddb
Thirdly, configure your Crowd yourself and fill it with a test license.
Point your browser to http://yourdockerhost:8095
- Choose
Set up Crowd
- Create and enter license information
- Choose
New installation
- In
Database configuration
chooseJDBC connection
and fill out the form:
- Database: PostgreSQL
- Driver Class Name:
org.postgresql.Driver
- JDBC URL:
jdbc:postgresql://postgres_crowd:5432/crowddb
- Username:
crowddb
- Password:
jellyfish
- Hibernate dialect:
org.hibernate.dialect.PostgreSQLDialect
- In
Options
choosehttp://localhost:8095/crowd
for fieldBase URL
otherwise you won't be able to connect later on. - Fill out the rest of the installation procedure.
If you can't connect to your instance you might have configured the wrong Base URL
. Run the installation described above again and stick to the manual for field Base URL
.
Typical error message in logs:
Caused by: org.codehaus.xfire.fault.XFireFault: Client with address "xxx.xx.xx.xx" is forbidden from making requests to the application, crowd.
Set the Splash Screens context to empty string and crowd to root context.
$ docker run -d --name crowd \
-e "CROWD_URL=http://localhost:8095" \
-e "SPLASH_CONTEXT=" \
-e "CROWD_CONTEXT=ROOT" \
-p 8095:8095 blacklabelops/crowd
Splash context will never be shown, crowd will be shown under http://youdockerhost:8095/
Disable all contexts to make sub application inaccessible (e.g. you do not use them)
You can disable applications by setting their context to empty string:
- Crowd: CROWD_CONTEXT
- Splash: SPLASH_CONTEXT
- OpenID server: CROWDID_CONTEXT
- OpenID client: OPENID_CLIENT_CONTEXT
Example:
$ docker run -d --name crowd \
-e "CROWD_URL=http://localhost:8095" \
-e "SPLASH_CONTEXT=" \
-e "CROWD_CONTEXT=ROOT" \
-e "CROWDID_CONTEXT=" \
-e "OPENID_CLIENT_CONTEXT=" \
-p 8095:8095 blacklabelops/crowd
Subapplications will not be accessible anymore. Crowd will run under root context under http://youdockerhost:8095/
Crowd requires that you install a CA Certificate if you want to allow crowd to add users, or change passwords, in Active Directory (More information).
This is done automatically for any certificates that are present in the 'certs' directory in your persistant volume. For example, if you had called your volume 'crowd', you simply need to copy the certificate to /var/lib/dockers/volumes/crowd/_data/certs (if you are using the default storage location).
You can validate that you have exported the correct certificate by checking that the 'CA' attribute is set to true
[root@docker2 volumes]# openssl x509 -in crowd/_data/certs/client.crt -inform der -text -noout | grep CA:
CA:TRUE
[root@docker volumes]#
You will see the certificate being imported when the container is started.
You can specify your proxy host and proxy port with the environment variables CROWD_PROXY_NAME and CROWD_PROXY_PORT. The value will be set inside the Atlassian server.xml at startup!
When you use https then you also have to include the environment variable CROWD_PROXY_SCHEME.
Example HTTPS:
- Proxy Name: myhost.example.com
- Proxy Port: 443
- Poxy Protocol Scheme: https
Just type:
$ docker run -d --name crowd \
-e "CROWD_PROXY_NAME=myhost.example.com" \
-e "CROWD_PROXY_PORT=443" \
-e "CROWD_PROXY_SCHEME=https" \
blacklabelops/crowd
Will set the values inside the server.xml in /opt/crowd/.../server.xml
This is an example on running Atlassian Crowd behind NGINX with 2 Docker commands!
First start Crowd:
$ docker run -d --name crowd \
-e "CROWD_PROXY_NAME=192.168.99.100" \
-e "CROWD_PROXY_PORT=80" \
-e "CROWD_PROXY_SCHEME=http" \
blacklabelops/crowd
Example with dockertools
Then start NGINX:
$ docker run -d \
-p 80:80 \
--name nginx \
--link crowd:crowd \
-e "SERVER1REVERSE_PROXY_LOCATION1=/" \
-e "SERVER1REVERSE_PROXY_PASS1=http://crowd:8095" \
blacklabelops/nginx
Crowd will be available at http://192.168.99.100.
This is an example on running Atlassian Crowd behind NGINX-HTTPS with2 Docker commands!
Note: This is a self-signed certificate! Trusted certificates by letsencrypt are supported. Documentation can be found here: blacklabelops/nginx
First start Crowd:
$ docker run -d --name crowd \
-e "CROWD_PROXY_NAME=192.168.99.100" \
-e "CROWD_PROXY_PORT=80" \
-e "CROWD_PROXY_SCHEME=http" \
blacklabelops/crowd
Example with dockertools
Then start NGINX:
$ docker run -d \
-p 443:443 \
--name nginx \
--link crowd:crowd \
-e "SERVER1REVERSE_PROXY_LOCATION1=/" \
-e "SERVER1REVERSE_PROXY_PASS1=http://crowd:8095" \
-e "SERVER1CERTIFICATE_DNAME=/CN=CrustyClown/OU=SpringfieldEntertainment/O=crusty.springfield.com/L=Springfield/C=US" \
-e "SERVER1HTTPS_ENABLED=true" \
-e "SERVER1HTTP_ENABLED=false" \
blacklabelops/nginx
Crowd will be available at https://192.168.99.100.
Allow secure
-Flag on Cookies for SSO by setting CROWD_PROXY_SECURE
to true. Crowd assumes that requests are delivered in a secure manner. Those cookies enforce secured connections to any sso-enabled application using the crowd service. This setting is only useful in conjuction with a SSL-reverse-proxy.
Example:
$ docker run -d --name crowd \
-e "CROWD_URL=http://localhost:8095" \
-e "CROWD_PROXY_NAME=192.168.99.100" \
-e "CROWD_PROXY_PORT=443" \
-e "CROWD_PROXY_SCHEME=https" \
-e "CROWD_PROXY_SECURE=true" \
blacklabelops/crowd
Then start NGINX:
$ docker run -d \
-p 443:443 \
--name nginx \
--link crowd:crowd \
-e "SERVER1REVERSE_PROXY_LOCATION1=/" \
-e "SERVER1REVERSE_PROXY_PASS1=http://crowd:8095" \
-e "SERVER1CERTIFICATE_DNAME=/CN=CrustyClown/OU=SpringfieldEntertainment/O=crusty.springfield.com/L=Springfield/C=US" \
-e "SERVER1HTTPS_ENABLED=true" \
-e "SERVER1HTTP_ENABLED=false" \
blacklabelops/nginx
See [https://confluence.atlassian.com/crowd/sso-cookie-168003384.html](SSO Cookie) for details about secure cookies in Crowd.
You may now configure Applications to use Crowd with SSO-features.
The full feature list is documented here as this image is feature identical with the atlassian example: Readme.md
This project is very grateful for code and examples from the repositories: