https://wiki.castanedo.es/index.php?action=history&feed=atom&title=OpenLDAP
OpenLDAP - Historial de revisiones
2026-05-10T14:18:26Z
Historial de revisiones de esta página en la wiki
MediaWiki 1.39.8
https://wiki.castanedo.es/index.php?title=OpenLDAP&diff=201&oldid=prev
Guzman en 21:40 18 abr 2026
2026-04-18T21:40:09Z
<p></p>
<p><b>Página nueva</b></p><div>== Instalación OpenLDAP en Docker ==<br />
Instalación de [https://hub.docker.com/r/vegardit/openldap vegardit/openldap] en Docker.<br />
Se va a usar los siguientes protocolos:<br />
* LDAP (puerto 389/tcp): sólo en localhost<br />
* LDAPS (puerto 636/tcp): publicado con Nginx como reserve proxy (en PRO)<br />
<br />
== Requisitos ==<br />
Para poder realizar esta configuración se necesita:<br />
* Servidor GNU Linux (ver [[Securizar Ubuntu Server]])<br />
** Cortafuegos FirewallD (UFW tiene problemas con Docker)<br />
* Docker Engine (ver [[Docker Engine]])<br />
** Módulo: Docker Compose (para PRO)<br />
* Nginx (ver [[LEMP]])<br />
** Módulo: Nginx Stream (incluido en Ubuntu)<br />
<br />
== Entorno de DEV ==<br />
Como entorno de DEV se va a usar Docker Desktop.<br />
<br />
=== Descargar imagen ===<br />
Vamos a usar la imagen que es la latest a día de hoy (2.6.10).<br />
<syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight><br />
<br />
=== Ejecutar contenedor en Docker Desktop (DEV) ===<br />
Vamos a usar la imagen sólo con LDAP (389/tcp) solo para localhost.<br />
IMPORTANTE: para añadir SSL/TLS usaremos Nginx.<br />
<syntaxhighlight lang="Bash"><br />
docker run -d --name openldap \<br />
--hostname ldapdev.culturetas.net \<br />
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \<br />
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \<br />
--env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \<br />
--env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \<br />
--env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \<br />
--env LDAP_INIT_RFC2307BIS_SCHEMA=0 \<br />
--env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \<br />
--env LDAP_TLS_ENABLED=false \<br />
--env LDAP_LDAPS_ENABLED=false \<br />
-p 127.0.0.1:389:389 \<br />
-v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d \<br />
vegardit/openldap:2.6.10<br />
</syntaxhighlight><br />
'''Nota''': OpenSSL soporta SSL/TLS, pero con vegardit/openldap no funciona correctamente y tras un handshake correcot, no completa siempre la autenticación (usaremos un reverse proxy como alternativa y es más seguro).<br />
<br />
=== Pruebas ===<br />
Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio].<br />
* Hostname: 127.0.0.1<br />
* Port: 389<br />
* Encryption: LDAP<br />
* Bind DN: uid=admin,dc=culturetas,dc=net<br />
* Bind password: CONTRASEÑA<br />
<br />
== Entorno de PRO ==<br />
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.<br />
<br />
=== Instalar módulo Stream de Nginx ===<br />
Nginx con módulo Stream permite balancear a puertos TCP o UDP (que no sean HTTP).<br />
No viene con el paquete estándar de Nginx, se instala aparte:<br />
<syntaxhighlight lang="Bash">apt install libnginx-mod-stream</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
=== Configuración módulo Stream ===<br />
* Backup nginx.conf<br />
<syntaxhighlight lang="Bash">cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.20260322</syntaxhighlight><br />
<br />
* Crear carpeta para Stream<br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/stream-available</syntaxhighlight><br />
<syntaxhighlight lang="Bash">mkdir /etc/nginx/stream-enabled</syntaxhighlight><br />
<br />
* Añadir configuración para Stream<br />
<syntaxhighlight lang="Bash">vi /etc/nginx/nginx.conf</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
[...]<br />
stream {<br />
# Log format<br />
log_format stream_format '$remote_addr [$time_local] '<br />
'$protocol $status $bytes_sent $bytes_received '<br />
'$session_time "$upstream_addr"';<br />
include /etc/nginx/stream-enabled/*;<br />
}<br />
[...]<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight><br />
<br />
=== Configurar Virtual Host para LDAP (para HTTP) ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
##<br />
# You should look at the following URL's in order to grasp a solid understanding<br />
# of Nginx configuration files in order to fully unleash the power of Nginx.<br />
# http://wiki.nginx.org/Pitfalls<br />
# http://wiki.nginx.org/QuickStart<br />
# http://wiki.nginx.org/Configuration<br />
#<br />
# Generally, you will want to move this file somewhere, and start with a clean<br />
# file but keep this around for reference. Or just disable in sites-enabled.<br />
#<br />
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.<br />
##<br />
<br />
# Default server configuration<br />
#<br />
server {<br />
# Redirect HTTP to HTTPS<br />
listen 80;<br />
listen [::]:80;<br />
server_name ldap.culturetas.net;<br />
# Redirect HTTP to HTTPS<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
# SSL configuration<br />
#<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;<br />
#<br />
# Note: You should disable gzip for SSL traffic.<br />
# See: https://bugs.debian.org/773332<br />
#<br />
# Read up on ssl_ciphers to ensure a secure configuration.<br />
# See: https://bugs.debian.org/765782<br />
#<br />
# Self signed certs generated by the ssl-cert package<br />
# Don't use them in a production server!<br />
#<br />
# include snippets/snakeoil.conf;<br />
<br />
root /var/www/ldap.culturetas.net;<br />
<br />
# Add index.php to the list if you are using PHP<br />
index index.php index.html index.htm;<br />
<br />
server_name ldap.culturetas.net;<br />
<br />
access_log /var/log/nginx/ldap.culturetas.net-access.log;<br />
error_log /var/log/nginx/ldap.culturetas.net-error.log;<br />
<br />
# # Auth Basic (for developing)<br />
# auth_basic "Pagina Restringida";<br />
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;<br />
<br />
# Activate HSTS (HTTP Strict Transport Security)<br />
# Note: reinclude if in a location a header is set<br />
include snippets/hsts.conf;<br />
<br />
# Allow favicon.ico, robots.txt, .well-known/<br />
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht<br />
include snippets/allowed.conf;<br />
include snippets/denied.conf;<br />
<br />
# Redirect all to Keycloak<br />
return 301 https://entrar.culturetas.net;<br />
}<br />
</syntaxhighlight><br />
<br />
* Crear carpeta para VirtualHost:<br />
<syntaxhighlight lang="Bash">mkdir /var/www/ldap.culturetas.net</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Generar certificados Let's Encrypt ===<br />
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
Saving debug log to /var/log/letsencrypt/letsencrypt.log<br />
<br />
Which names would you like to activate HTTPS for?<br />
We recommend selecting either all domains, or all domains in a VirtualHost/server block.<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
1: ldap.culturetas.net<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
Select the appropriate numbers separated by commas and/or spaces, or leave input<br />
blank to select all options shown (Enter 'c' to cancel): 1<br />
Requesting a certificate for ldap.culturetas.net<br />
<br />
Successfully received certificate.<br />
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem<br />
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem<br />
This certificate expires on 2026-06-19.<br />
These files will be updated when the certificate renews.<br />
Certbot has set up a scheduled task to automatically renew this certificate in the background.<br />
<br />
Deploying certificate<br />
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net<br />
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net<br />
<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
If you like Certbot, please consider supporting our work by:<br />
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate<br />
* Donating to EFF: https://eff.org/donate-le<br />
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br />
</syntaxhighlight><br />
<br />
=== Configurar Virtual Host para LDAP (para Stream) ===<br />
* Añadir Virtual Host:<br />
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight><br />
<syntaxhighlight lang="Bash">vi /etc/nginx/stream-available/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
########################<br />
# STREAM REVERSE PROXY #<br />
########################<br />
<br />
# Nginx Stream allow load balancer to TCP or UDP ports (no HTTP).<br />
upstream ldap_backend {<br />
server 127.0.0.1:389 max_fails=3 fail_timeout=30s;<br />
# Opcional: High Availability<br />
# server 192.168.10.45:389 backup;<br />
}<br />
<br />
server {<br />
# LDAPS port (636/tcp)<br />
listen 636 ssl;<br />
<br />
# SSL/TLS Certificates<br />
ssl_certificate /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem;<br />
<br />
# TLS Settings<br />
ssl_protocols TLSv1.2 TLSv1.3;<br />
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;<br />
ssl_prefer_server_ciphers on;<br />
ssl_session_cache shared:SSL:10m;<br />
ssl_session_timeout 10m;<br />
ssl_session_tickets off;<br />
<br />
# Forwarding to plain LDAP (LDAPS -> LDAP)<br />
proxy_pass ldap_backend;<br />
<br />
# LDAP timeouts<br />
proxy_connect_timeout 5s;<br />
proxy_timeout 3m;<br />
<br />
# Logging (stream format)<br />
access_log /var/log/nginx/ldaps.culturetas.net-access.log stream_format;<br />
error_log /var/log/nginx/ldaps.culturetas.net-error.log warn;<br />
}<br />
</syntaxhighlight><br />
<br />
* Activar Virtual Host:<br />
<syntaxhighlight lang="Bash">ln -s /etc/nginx/stream-available/ldap.culturetas.net /etc/nginx/stream-enabled/ldap.culturetas.net</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight><br />
<br />
=== Habilitar LDAPS en FirewallD ===<br />
<syntaxhighlight lang="Bash">firewall-cmd --permanent --zone=public --add-port=636/tcp</syntaxhighlight><br />
<syntaxhighlight lang="Bash">firewall-cmd --reload</syntaxhighlight><br />
<br />
=== Crear carpetas para OpenLDAP ===<br />
<syntaxhighlight lang="Bash">mkdir -p /opt/openldap/data</syntaxhighlight><br />
<br />
=== Generar fichero Compose YAML ===<br />
<syntaxhighlight lang="Bash">vi /opt/openldap/compose.yaml</syntaxhighlight><br />
<syntaxhighlight lang="text"><br />
name: openldap<br />
services:<br />
openldap:<br />
container_name: openldap<br />
hostname: ldap.culturetas.net<br />
restart: unless-stopped<br />
environment:<br />
- LDAP_INIT_ORG_DN=dc=culturetas,dc=net<br />
- LDAP_INIT_ORG_NAME=Culturetas SPQR<br />
- LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net<br />
- LDAP_INIT_ROOT_USER_PW=CONTRASEÑA<br />
- LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12<br />
- LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net<br />
- LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net<br />
- LDAP_INIT_RFC2307BIS_SCHEMA=0<br />
- LDAP_INIT_ALLOW_CONFIG_ACCESS=true<br />
- LDAP_TLS_ENABLED=false<br />
- LDAP_LDAPS_ENABLED=false<br />
ports:<br />
- 127.0.0.1:389:389<br />
volumes:<br />
- /opt/openldap/data/var:/var/lib/ldap<br />
- /opt/openldap/data/etc:/etc/ldap/slapd.d<br />
image: vegardit/openldap:2.6.10<br />
</syntaxhighlight><br />
<syntaxhighlight lang="Bash">chmod 640 /opt/openldap/compose.yaml</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight><br />
<br />
=== Parar OpenLDAP (manual) ===<br />
<syntaxhighlight lang="Bash">cd /opt/openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">docker compose down</syntaxhighlight><br />
<br />
=== Arrancar OpenLDAP (con SystemD) ===<br />
* Crear fichero SystemD<br />
<syntaxhighlight lang="Bash">vi /etc/systemd/system/openldap.service</syntaxhighlight><br />
<syntaxhighlight lang="Bash"><br />
[Unit]<br />
Description=OpenLDAP (Docker Compose)<br />
After=docker.service network-online.target<br />
Requires=docker.service<br />
Wants=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
WorkingDirectory=/opt/openldap<br />
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull<br />
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30<br />
TimeoutStartSec=180<br />
TimeoutStopSec=120<br />
Restart=on-failure<br />
RestartSec=7<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</syntaxhighlight><br />
<br />
* Arrancar y habilitar<br />
<syntaxhighlight lang="Bash">systemctl daemon-reload</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl start openldap</syntaxhighlight><br />
<syntaxhighlight lang="Bash">systemctl enabled openldap</syntaxhighlight><br />
<br />
== Referencias ==<br />
* [https://hub.docker.com/r/vegardit/openldap https://hub.docker.com/r/vegardit/openldap]<br />
* [https://github.com/vegardit/docker-openldap https://github.com/vegardit/docker-openldap]<br />
* [https://directory.apache.org/studio/downloads.html https://directory.apache.org/studio/downloads.html]<br />
<br />
[[Categoría:Notas]]</div>
Guzman