Diferencia entre revisiones de «OpenLDAP»
Ir a la navegación
Ir a la búsqueda
Sin resumen de edición |
Sin resumen de edición |
||
| (No se muestran 8 ediciones intermedias del mismo usuario) | |||
| Línea 2: | Línea 2: | ||
Instalación de [https://hub.docker.com/r/vegardit/openldap vegardit/openldap] en Docker. | Instalación de [https://hub.docker.com/r/vegardit/openldap vegardit/openldap] en Docker. | ||
== Descargar imagen == | == Entorno de DEV == | ||
Como entorno de DEV se va a usar Docker Desktop. | |||
=== Descargar imagen === | |||
Vamos a usar la imagen que es la latest a día de hoy (2.6.10). | Vamos a usar la imagen que es la latest a día de hoy (2.6.10). | ||
<syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight> | <syntaxhighlight lang="Bash">docker pull vegardit/openldap:2.6.10</syntaxhighlight> | ||
== Ejecutar contenedor en Docker Desktop (DEV) == | === Configuración certificados SSL === | ||
* Creamos volumen "ldap-ssl": | |||
<syntaxhighlight lang="Bash">docker volume create ldap-ssl</syntaxhighlight> | |||
* Copiar certificados en el "ldap-ssl": | |||
<syntaxhighlight lang="Bash"> | |||
cd /c/Users/guzman/Desktop/temp | |||
docker create --name temp-copia -v ldap-ssl:/data alpine | |||
docker cp ldapdev.culturetas.net.crt temp-copia:/data/ldapdev.culturetas.net.crt | |||
docker cp ldapdev.culturetas.net.key temp-copia:/data/ldapdev.culturetas.net.key | |||
docker cp culturetas-root-ca.crt temp-copia:/data/culturetas-root-ca.crt | |||
docker rm temp-copia | |||
</syntaxhighlight> | |||
=== Ejecutar contenedor en Docker Desktop (DEV) === | |||
<syntaxhighlight lang="Bash"> | <syntaxhighlight lang="Bash"> | ||
docker run -d --name openldap \ | docker run -d --name openldap \ | ||
--hostname ldapdev.culturetas.net \ | |||
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \ | --env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \ | ||
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \ | --env LDAP_INIT_ORG_NAME="Culturetas SPQR" \ | ||
| Línea 18: | Línea 36: | ||
--env LDAP_INIT_RFC2307BIS_SCHEMA=0 \ | --env LDAP_INIT_RFC2307BIS_SCHEMA=0 \ | ||
--env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \ | --env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \ | ||
--env LDAP_TLS_ENABLED='true' \ | |||
--env LDAP_LDAPS_ENABLED='true' \ | |||
--env LDAP_TLS_CERT_FILE='//run/secrets/ldap/ldapdev.culturetas.net.crt' \ | |||
--env LDAP_TLS_KEY_FILE='//run/secrets/ldap/ldapdev.culturetas.net.key' \ | |||
--env LDAP_TLS_CA_FILE='//run/secrets/ldap/culturetas-root-ca.crt' \ | |||
--env LDAP_TLS_VERIFY_CLIENT='never' \ | |||
-p 389:389 -p 636:636 \ | -p 389:389 -p 636:636 \ | ||
-v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d \ | -v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d -v ldap-ssl:/run/secrets/ldap \ | ||
vegardit/openldap:2.6.10 | vegardit/openldap:2.6.10 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== | === Pruebas === | ||
Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio]. | Vamos a probar a conectar usando [https://directory.apache.org/studio/downloads.html Apache Directory Studio]. | ||
* Hostname: 127.0.0.1 | * Hostname: 127.0.0.1 | ||
* Port: | * Port: 636 | ||
* Bind DN: | * Encryption: LDAPS | ||
* Bind password: | * Bind DN: uid=admin,dc=culturetas,dc=net | ||
* Bind password: CONTRASEÑA | |||
== Entorno de PRO == | |||
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer. | |||
=== Configurar Virtual Host para ldap === | |||
* Añadir Virtual Host: | |||
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight> | |||
<syntaxhighlight lang="Bash">vi /etc/nginx/sites-available/ldap.culturetas.net</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
## | |||
# You should look at the following URL's in order to grasp a solid understanding | |||
# of Nginx configuration files in order to fully unleash the power of Nginx. | |||
# http://wiki.nginx.org/Pitfalls | |||
# http://wiki.nginx.org/QuickStart | |||
# http://wiki.nginx.org/Configuration | |||
# | |||
# Generally, you will want to move this file somewhere, and start with a clean | |||
# file but keep this around for reference. Or just disable in sites-enabled. | |||
# | |||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. | |||
## | |||
# Default server configuration | |||
# | |||
server { | |||
# Redirect HTTP to HTTPS | |||
listen 80; | |||
listen [::]:80; | |||
server_name ldap.culturetas.net; | |||
# Redirect HTTP to HTTPS | |||
return 301 https://$host$request_uri; | |||
} | |||
server { | |||
# SSL configuration | |||
# | |||
listen 443 ssl http2; | |||
listen [::]:443 ssl http2; | |||
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem; | |||
# | |||
# Note: You should disable gzip for SSL traffic. | |||
# See: https://bugs.debian.org/773332 | |||
# | |||
# Read up on ssl_ciphers to ensure a secure configuration. | |||
# See: https://bugs.debian.org/765782 | |||
# | |||
# Self signed certs generated by the ssl-cert package | |||
# Don't use them in a production server! | |||
# | |||
# include snippets/snakeoil.conf; | |||
root /var/www/ldap.culturetas.net; | |||
# Add index.php to the list if you are using PHP | |||
index index.php index.html index.htm; | |||
server_name ldap.culturetas.net; | |||
access_log /var/log/nginx/ldap.culturetas.net-access.log; | |||
error_log /var/log/nginx/ldap.culturetas.net-error.log; | |||
# # Auth Basic (for developing) | |||
# auth_basic "Pagina Restringida"; | |||
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net; | |||
# Activate HSTS (HTTP Strict Transport Security) | |||
# Note: reinclude if in a location a header is set | |||
include snippets/hsts.conf; | |||
# Allow favicon.ico, robots.txt, .well-known/ | |||
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht | |||
include snippets/allowed.conf; | |||
include snippets/denied.conf; | |||
# Redirect all to Keycloak | |||
return 301 https://entrar.culturetas.net; | |||
} | |||
</syntaxhighlight> | |||
* Crear carpeta para VirtualHost: | |||
<syntaxhighlight lang="Bash">mkdir /var/www/ldap.culturetas.net</syntaxhighlight> | |||
* Activar Virtual Host: | |||
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight> | |||
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight> | |||
=== Generar certificados Let's Encrypt === | |||
<syntaxhighlight lang="Bash">certbot --nginx</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | |||
Which names would you like to activate HTTPS for? | |||
We recommend selecting either all domains, or all domains in a VirtualHost/server block. | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
1: ldap.culturetas.net | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
Select the appropriate numbers separated by commas and/or spaces, or leave input | |||
blank to select all options shown (Enter 'c' to cancel): 1 | |||
Requesting a certificate for ldap.culturetas.net | |||
Successfully received certificate. | |||
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem | |||
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem | |||
This certificate expires on 2026-06-19. | |||
These files will be updated when the certificate renews. | |||
Certbot has set up a scheduled task to automatically renew this certificate in the background. | |||
Deploying certificate | |||
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net | |||
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
If you like Certbot, please consider supporting our work by: | |||
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate | |||
* Donating to EFF: https://eff.org/donate-le | |||
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
</syntaxhighlight> | |||
=== Crear carpetas === | |||
<syntaxhighlight lang="Bash">mkdir -p /opt/openldap/data</syntaxhighlight> | |||
=== Generar fichero YAML === | |||
<syntaxhighlight lang="Bash">vi /opt/openldap/compose.yaml</syntaxhighlight> | |||
<syntaxhighlight lang="text"> | |||
name: openldap | |||
services: | |||
openldap: | |||
container_name: openldap | |||
hostname: ldap.culturetas.net | |||
environment: | |||
- LDAP_INIT_ORG_DN=dc=culturetas,dc=net | |||
- LDAP_INIT_ORG_NAME=Culturetas SPQR | |||
- LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net | |||
- LDAP_INIT_ROOT_USER_PW=CONTRASEÑA | |||
- LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12 | |||
- LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net | |||
- LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net | |||
- LDAP_INIT_RFC2307BIS_SCHEMA=0 | |||
- LDAP_INIT_ALLOW_CONFIG_ACCESS=true | |||
- LDAP_TLS_ENABLED=true | |||
- LDAP_LDAPS_ENABLED=true | |||
- LDAP_TLS_CERT_FILE=/run/secrets/ldap/ldap.culturetas.net.crt | |||
- LDAP_TLS_KEY_FILE=/run/secrets/ldap/ldap.culturetas.net.key | |||
- LDAP_TLS_CA_FILE=/run/secrets/ldap/ca.crt | |||
- LDAP_TLS_VERIFY_CLIENT=never | |||
ports: | |||
- 389:389 | |||
- 636:636 | |||
volumes: | |||
- /opt/openldap/data/var:/var/lib/ldap | |||
- /opt/openldap/data/etc:/etc/ldap/slapd.d | |||
- /etc/letsencrypt/live/ldap.culturetas.net/cert.pem:/run/secrets/ldap/ldap.culturetas.net.crt | |||
- /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem:/run/secrets/ldap/ldap.culturetas.net.key | |||
- /etc/letsencrypt/live/ldap.culturetas.net/chain.pem:/run/secrets/ldap/ca.crt | |||
image: vegardit/openldap:2.6.10 | |||
</syntaxhighlight> | |||
=== Arrancar OpenLDAP en PRO === | |||
<syntaxhighlight lang="Bash">cd /opt/openldap</syntaxhighlight> | |||
<syntaxhighlight lang="Bash">docker compose up -d</syntaxhighlight> | |||
=== Arrancar OpenLDAP con SystemD === | |||
=== Configuración de FirewallD === | |||
== Referencias == | == Referencias == | ||
Revisión actual - 00:20 22 mar 2026
Instalación OpenLDAP en Docker
Instalación de vegardit/openldap en Docker.
Entorno de DEV
Como entorno de DEV se va a usar Docker Desktop.
Descargar imagen
Vamos a usar la imagen que es la latest a día de hoy (2.6.10).
docker pull vegardit/openldap:2.6.10
Configuración certificados SSL
- Creamos volumen "ldap-ssl":
docker volume create ldap-ssl
- Copiar certificados en el "ldap-ssl":
cd /c/Users/guzman/Desktop/temp
docker create --name temp-copia -v ldap-ssl:/data alpine
docker cp ldapdev.culturetas.net.crt temp-copia:/data/ldapdev.culturetas.net.crt
docker cp ldapdev.culturetas.net.key temp-copia:/data/ldapdev.culturetas.net.key
docker cp culturetas-root-ca.crt temp-copia:/data/culturetas-root-ca.crt
docker rm temp-copia
Ejecutar contenedor en Docker Desktop (DEV)
docker run -d --name openldap \
--hostname ldapdev.culturetas.net \
--env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \
--env LDAP_INIT_ORG_NAME="Culturetas SPQR" \
--env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \
--env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \
--env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
--env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \
--env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \
--env LDAP_INIT_RFC2307BIS_SCHEMA=0 \
--env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \
--env LDAP_TLS_ENABLED='true' \
--env LDAP_LDAPS_ENABLED='true' \
--env LDAP_TLS_CERT_FILE='//run/secrets/ldap/ldapdev.culturetas.net.crt' \
--env LDAP_TLS_KEY_FILE='//run/secrets/ldap/ldapdev.culturetas.net.key' \
--env LDAP_TLS_CA_FILE='//run/secrets/ldap/culturetas-root-ca.crt' \
--env LDAP_TLS_VERIFY_CLIENT='never' \
-p 389:389 -p 636:636 \
-v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d -v ldap-ssl:/run/secrets/ldap \
vegardit/openldap:2.6.10
Pruebas
Vamos a probar a conectar usando Apache Directory Studio.
- Hostname: 127.0.0.1
- Port: 636
- Encryption: LDAPS
- Bind DN: uid=admin,dc=culturetas,dc=net
- Bind password: CONTRASEÑA
Entorno de PRO
En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.
Configurar Virtual Host para ldap
- Añadir Virtual Host:
sudo -i
vi /etc/nginx/sites-available/ldap.culturetas.net
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
# Redirect HTTP to HTTPS
listen 80;
listen [::]:80;
server_name ldap.culturetas.net;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/ldap.culturetas.net;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm;
server_name ldap.culturetas.net;
access_log /var/log/nginx/ldap.culturetas.net-access.log;
error_log /var/log/nginx/ldap.culturetas.net-error.log;
# # Auth Basic (for developing)
# auth_basic "Pagina Restringida";
# auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;
# Activate HSTS (HTTP Strict Transport Security)
# Note: reinclude if in a location a header is set
include snippets/hsts.conf;
# Allow favicon.ico, robots.txt, .well-known/
# Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
include snippets/allowed.conf;
include snippets/denied.conf;
# Redirect all to Keycloak
return 301 https://entrar.culturetas.net;
}
- Crear carpeta para VirtualHost:
mkdir /var/www/ldap.culturetas.net
- Activar Virtual Host:
ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net
systemctl reload nginx
Generar certificados Let's Encrypt
certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ldap.culturetas.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem
This certificate expires on 2026-06-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Crear carpetas
mkdir -p /opt/openldap/data
Generar fichero YAML
vi /opt/openldap/compose.yaml
name: openldap
services:
openldap:
container_name: openldap
hostname: ldap.culturetas.net
environment:
- LDAP_INIT_ORG_DN=dc=culturetas,dc=net
- LDAP_INIT_ORG_NAME=Culturetas SPQR
- LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net
- LDAP_INIT_ROOT_USER_PW=CONTRASEÑA
- LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12
- LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net
- LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net
- LDAP_INIT_RFC2307BIS_SCHEMA=0
- LDAP_INIT_ALLOW_CONFIG_ACCESS=true
- LDAP_TLS_ENABLED=true
- LDAP_LDAPS_ENABLED=true
- LDAP_TLS_CERT_FILE=/run/secrets/ldap/ldap.culturetas.net.crt
- LDAP_TLS_KEY_FILE=/run/secrets/ldap/ldap.culturetas.net.key
- LDAP_TLS_CA_FILE=/run/secrets/ldap/ca.crt
- LDAP_TLS_VERIFY_CLIENT=never
ports:
- 389:389
- 636:636
volumes:
- /opt/openldap/data/var:/var/lib/ldap
- /opt/openldap/data/etc:/etc/ldap/slapd.d
- /etc/letsencrypt/live/ldap.culturetas.net/cert.pem:/run/secrets/ldap/ldap.culturetas.net.crt
- /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem:/run/secrets/ldap/ldap.culturetas.net.key
- /etc/letsencrypt/live/ldap.culturetas.net/chain.pem:/run/secrets/ldap/ca.crt
image: vegardit/openldap:2.6.10
Arrancar OpenLDAP en PRO
cd /opt/openldap
docker compose up -d