Diferencia entre revisiones de «OpenLDAP»
Ir a la navegación
Ir a la búsqueda
Sin resumen de edición |
Sin resumen de edición |
||
| (No se muestran 3 ediciones intermedias del mismo usuario) | |||
| Línea 9: | Línea 9: | ||
<syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight> | <syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight> | ||
== | === Configuración certificados SSL === | ||
* Creamos volumen "ldap-ssl": | * Creamos volumen "ldap-ssl": | ||
<syntaxhighlight lang="Bash">docker volume create ldap-ssl</syntaxhighlight> | <syntaxhighlight lang="Bash">docker volume create ldap-ssl</syntaxhighlight> | ||
| Línea 22: | Línea 22: | ||
docker rm temp-copia | docker rm temp-copia | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Ejecutar contenedor en Docker Desktop (DEV) === | === Ejecutar contenedor en Docker Desktop (DEV) === | ||
<syntaxhighlight lang="Bash"> | <syntaxhighlight lang="Bash"> | ||
docker run -d --name openldap \ | docker run -d --name openldap \ | ||
--hostname ldapdev.culturetas.net \ | |||
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \ | --env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \ | ||
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \ | --env LDAP_INIT_ORG_NAME="Culturetas SPQR" \ | ||
| Línea 47: | Línea 47: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== | === Pruebas === | ||
Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio]. | Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio]. | ||
* Hostname: 127.0.0.1 | * Hostname: 127.0.0.1 | ||
* Port: | * Port: 636 | ||
* Encryption: LDAPS | |||
* Bind DN: uid=admin,dc=culturetas,dc=net | * Bind DN: uid=admin,dc=culturetas,dc=net | ||
* Bind password: CONTRASEÑA | * Bind password: CONTRASEÑA | ||
| Línea 56: | Línea 57: | ||
== Entorno de PRO == | == Entorno de PRO == | ||
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer. | En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer. | ||
=== Configurar Virtual Host para ldap === | |||
* Añadir Virtual Host: | |||
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight> | |||
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/ldap.culturetas.net</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
## | |||
# You should look at the following URL's in order to grasp a solid understanding | |||
# of Nginx configuration files in order to fully unleash the power of Nginx. | |||
# http://wiki.nginx.org/Pitfalls | |||
# http://wiki.nginx.org/QuickStart | |||
# http://wiki.nginx.org/Configuration | |||
# | |||
# Generally, you will want to move this file somewhere, and start with a clean | |||
# file but keep this around for reference. Or just disable in sites-enabled. | |||
# | |||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. | |||
## | |||
# Default server configuration | |||
# | |||
server { | |||
# Redirect HTTP to HTTPS | |||
listen 80; | |||
listen [::]:80; | |||
server_name ldap.culturetas.net; | |||
# Redirect HTTP to HTTPS | |||
return 301 https://$host$request_uri; | |||
} | |||
server { | |||
# SSL configuration | |||
# | |||
listen 443 ssl http2; | |||
listen [::]:443 ssl http2; | |||
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem; | |||
# | |||
# Note: You should disable gzip for SSL traffic. | |||
# See: https://bugs.debian.org/773332 | |||
# | |||
# Read up on ssl_ciphers to ensure a secure configuration. | |||
# See: https://bugs.debian.org/765782 | |||
# | |||
# Self signed certs generated by the ssl-cert package | |||
# Don't use them in a production server! | |||
# | |||
# include snippets/snakeoil.conf; | |||
root /var/www/ldap.culturetas.net; | |||
# Add index.php to the list if you are using PHP | |||
index index.php index.html index.htm; | |||
server_name ldap.culturetas.net; | |||
access_log /var/log/nginx/ldap.culturetas.net-access.log; | |||
error_log /var/log/nginx/ldap.culturetas.net-error.log; | |||
# # Auth Basic (for developing) | |||
# auth_basic "Pagina Restringida"; | |||
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net; | |||
# Activate HSTS (HTTP Strict Transport Security) | |||
# Note: reinclude if in a location a header is set | |||
include snippets/hsts.conf; | |||
# Allow favicon.ico, robots.txt, .well-known/ | |||
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht | |||
include snippets/allowed.conf; | |||
include snippets/denied.conf; | |||
# Redirect all to Keycloak | |||
return 301 https://entrar.culturetas.net; | |||
} | |||
</syntaxhighlight> | |||
* Crear carpeta para VirtualHost: | |||
<syntaxhighlight lang="Bash">mkdir /var/www/ldap.culturetas.net</syntaxhighlight> | |||
* Activar Virtual Host: | |||
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight> | |||
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight> | |||
=== Generar certificados Let's Encrypt === | |||
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | |||
Which names would you like to activate HTTPS for? | |||
We recommend selecting either all domains, or all domains in a VirtualHost/server block. | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
1: ldap.culturetas.net | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
Select the appropriate numbers separated by commas and/or spaces, or leave input | |||
blank to select all options shown (Enter 'c' to cancel): 1 | |||
Requesting a certificate for ldap.culturetas.net | |||
Successfully received certificate. | |||
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem | |||
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem | |||
This certificate expires on 2026-06-19. | |||
These files will be updated when the certificate renews. | |||
Certbot has set up a scheduled task to automatically renew this certificate in the background. | |||
Deploying certificate | |||
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net | |||
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
If you like Certbot, please consider supporting our work by: | |||
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate | |||
* Donating to EFF: https://eff.org/donate-le | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
</syntaxhighlight> | |||
=== Generar fichero YAML (composerize) === | |||
* Generar fichero YAML de compose: | |||
== Referencias == | == Referencias == | ||
Revisión del 23:39 21 mar 2026
Instalación OpenLDAP en Docker
Instalación de vegardit/openldap en Docker.
Entorno de DEV
Como entorno de DEV se va a usar Docker Desktop.
Descargar imagen
Vamos a usar la imagen que es la latest a día de hoy (2.6.10).
docker pull vegardit/openldap:2.6.10
Configuración certificados SSL
- Creamos volumen "ldap-ssl":
docker volume create ldap-ssl
- Copiar certificados en el "ldap-ssl":
cd /c/Users/guzman/Desktop/temp
docker create --name temp-copia -v ldap-ssl:/data alpine
docker cp ldapdev.culturetas.net.crt temp-copia:/data/ldapdev.culturetas.net.crt
docker cp ldapdev.culturetas.net.key temp-copia:/data/ldapdev.culturetas.net.key
docker cp culturetas-root-ca.crt temp-copia:/data/culturetas-root-ca.crt
docker rm temp-copia
Ejecutar contenedor en Docker Desktop (DEV)
docker run -d --name openldap \
--hostname ldapdev.culturetas.net \
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \
--env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \
--env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \
--env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
--env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \
--env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \
--env LDAP_INIT_RFC2307BIS_SCHEMA=0 \
--env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \
--env LDAP_TLS_ENABLED='true' \
--env LDAP_LDAPS_ENABLED='true' \
--env LDAP_TLS_CERT_FILE='//run/secrets/ldap/ldapdev.culturetas.net.crt' \
--env LDAP_TLS_KEY_FILE='//run/secrets/ldap/ldapdev.culturetas.net.key' \
--env LDAP_TLS_CA_FILE='//run/secrets/ldap/culturetas-root-ca.crt' \
--env LDAP_TLS_VERIFY_CLIENT='never' \
-p 389:389 -p 636:636 \
-v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d -v ldap-ssl:/run/secrets/ldap \
vegardit/openldap:2.6.10
Pruebas
Vamos a probar a conectar usando Apache Directory Studio.
- Hostname: 127.0.0.1
- Port: 636
- Encryption: LDAPS
- Bind DN: uid=admin,dc=culturetas,dc=net
- Bind password: CONTRASEÑA
Entorno de PRO
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.
Configurar Virtual Host para ldap
- Añadir Virtual Host:
sudo -i
vi /etc/nginx/sites-available/ldap.culturetas.net
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
# Redirect HTTP to HTTPS
listen 80;
listen [::]:80;
server_name ldap.culturetas.net;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/ldap.culturetas.net;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm;
server_name ldap.culturetas.net;
access_log /var/log/nginx/ldap.culturetas.net-access.log;
error_log /var/log/nginx/ldap.culturetas.net-error.log;
# # Auth Basic (for developing)
# auth_basic "Pagina Restringida";
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;
# Activate HSTS (HTTP Strict Transport Security)
# Note: reinclude if in a location a header is set
include snippets/hsts.conf;
# Allow favicon.ico, robots.txt, .well-known/
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
include snippets/allowed.conf;
include snippets/denied.conf;
# Redirect all to Keycloak
return 301 https://entrar.culturetas.net;
}
- Crear carpeta para VirtualHost:
mkdir /var/www/ldap.culturetas.net
- Activar Virtual Host:
ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net
systemctl reload nginx
Generar certificados Let's Encrypt
certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ldap.culturetas.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem
This certificate expires on 2026-06-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Generar fichero YAML (composerize)
- Generar fichero YAML de compose: