Diferencia entre revisiones de «OpenLDAP»

Revisión actual - 19:09 22 mar 2026

Instalación OpenLDAP en Docker

Instalación de vegardit/openldap en Docker. Se va a usar los siguientes protocolos:

LDAP (puerto 389/tcp): sólo en localhost
LDAPS (puerto 636/tcp): publicado con Nginx como reserve proxy (en PRO)

Requisitos

Para poder realizar esta configuración se necesita:

Servidor GNU Linux (ver Securizar Ubuntu Server)
- Cortafuegos FirewallD (UFW tiene problemas con Docker)
Docker Engine (ver Docker Engine)
- Módulo: Docker Compose (para PRO)
Nginx (ver LEMP)
- Módulo: Nginx Stream (incluido en Ubuntu)

Entorno de DEV

Como entorno de DEV se va a usar Docker Desktop.

Descargar imagen

Vamos a usar la imagen que es la latest a día de hoy (2.6.10).

docker pull vegardit/openldap:2.6.10

Ejecutar contenedor en Docker Desktop (DEV)

Vamos a usar la imagen sólo con LDAP (389/tcp) solo para localhost. IMPORTANTE: para añadir SSL/TLS usaremos Nginx.

docker run -d --name openldap \
 --hostname ldapdev.culturetas.net \
 --env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \
 --env LDAP_INIT_ORG_NAME="Culturetas SPQR" \
 --env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \
 --env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \
 --env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
 --env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \
 --env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \
 --env LDAP_INIT_RFC2307BIS_SCHEMA=0 \
 --env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \
 -p 127.0.0.1:389:389 \
 -v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d \
 vegardit/openldap:2.6.10

Nota: OpenSSL soporta SSL/TLS, pero con vegardit/openldap no funciona correctamente y tras un handshake correcot, no completa siempre la autenticación (usaremos un reverse proxy como alternativa y es más seguro).

Pruebas

Vamos a probar a conectar usando Apache Directory Studio.

Hostname: 127.0.0.1
Port: 389
Encryption: LDAP
Bind DN: uid=admin,dc=culturetas,dc=net
Bind password: CONTRASEÑA

Entorno de PRO

En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.

Instalar módulo Stream de Nginx

Nginx con módulo Stream permite balancear a puertos TCP o UDP (que no sean HTTP). No viene con el paquete estándar de Nginx, se instala aparte:

apt install libnginx-mod-stream

systemctl restart nginx

Configuración módulo Stream

Backup nginx.conf

cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.20260322

Crear carpeta para Stream

mkdir /etc/nginx/stream-available

mkdir /etc/nginx/stream-enabled

Añadir configuración para Stream

vi /etc/nginx/nginx.conf

[...]
stream {
	# Log format
	log_format stream_format '$remote_addr [$time_local] '
							 '$protocol $status $bytes_sent $bytes_received '
							 '$session_time "$upstream_addr"';
	include /etc/nginx/stream-enabled/*;
}
[...]

systemctl restart nginx

Configurar Virtual Host para LDAP (para HTTP)

Añadir Virtual Host:

sudo -i

vi /etc/nginx/sites-available/ldap.culturetas.net

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        # Redirect HTTP to HTTPS
        listen 80;
        listen [::]:80;
        server_name ldap.culturetas.net;
        # Redirect HTTP to HTTPS
        return 301 https://$host$request_uri;
}

server {
        # SSL configuration
        #
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/ldap.culturetas.net;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm;

        server_name ldap.culturetas.net;

        access_log /var/log/nginx/ldap.culturetas.net-access.log;
        error_log /var/log/nginx/ldap.culturetas.net-error.log;

#       # Auth Basic (for developing)
#       auth_basic "Pagina Restringida";
#       auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;

        # Activate HSTS (HTTP Strict Transport Security)
        # Note: reinclude if in a location a header is set
        include snippets/hsts.conf;

        # Allow favicon.ico, robots.txt, .well-known/
        # Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
        include snippets/allowed.conf;
        include snippets/denied.conf;

        # Redirect all to Keycloak
        return 301 https://entrar.culturetas.net;
}

Crear carpeta para VirtualHost:

mkdir /var/www/ldap.culturetas.net

Activar Virtual Host:

ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net

systemctl reload nginx

Generar certificados Let's Encrypt

certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ldap.culturetas.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem
This certificate expires on 2026-06-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Configurar Virtual Host para LDAP (para Stream)

Añadir Virtual Host:

sudo -i

vi /etc/nginx/stream-available/ldap.culturetas.net

########################
# STREAM REVERSE PROXY #
########################

# Nginx Stream allow load balancer to TCP or UDP ports (no HTTP).
upstream ldap_backend {
	server 127.0.0.1:389 max_fails=3 fail_timeout=30s;
	# Opcional: High Availability
	# server 192.168.10.45:389 backup;
}

server {
	# LDAPS port (636/tcp)
	listen 636 ssl;

	# SSL/TLS Certificates
	ssl_certificate /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem;

	# TLS Settings
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;
	
	# Forwarding to plain LDAP (LDAPS -> LDAP)
	proxy_pass ldap_backend;

	# LDAP timeouts
	proxy_connect_timeout 5s;
	proxy_timeout 3m;

	# Logging (stream format)
	access_log /var/log/nginx/ldaps.culturetas.net-access.log stream_format;
	error_log /var/log/nginx/ldaps.culturetas.net-error.log warn;
}

Activar Virtual Host:

ln -s /etc/nginx/stream-available/ldap.culturetas.net /etc/nginx/stream-enabled/ldap.culturetas.net

systemctl reload nginx

Habilitar LDAPS en FirewallD

firewall-cmd --permanent --zone=public --add-port=636/tcp

firewall-cmd --reload

Crear carpetas para OpenLDAP

mkdir -p /opt/openldap/data

Generar fichero YAML

vi /opt/openldap/compose.yaml

name: openldap
services:
    openldap:
        container_name: openldap
        hostname: ldap.culturetas.net
        restart: unless-stopped
        environment:
            - LDAP_INIT_ORG_DN=dc=culturetas,dc=net
            - LDAP_INIT_ORG_NAME=Culturetas SPQR
            - LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net
            - LDAP_INIT_ROOT_USER_PW=CONTRASEÑA
            - LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12
            - LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net
            - LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net
            - LDAP_INIT_RFC2307BIS_SCHEMA=0
            - LDAP_INIT_ALLOW_CONFIG_ACCESS=true
            - LDAP_TLS_ENABLED=false
            - LDAP_LDAPS_ENABLED=false
        ports:
            - 127.0.0.1:389:389
        volumes:
            - /opt/openldap/data/var:/var/lib/ldap
            - /opt/openldap/data/etc:/etc/ldap/slapd.d
        image: vegardit/openldap:2.6.10

Arrancar OpenLDAP (manual)

cd /opt/openldap

docker compose up -d

Parar OpenLDAP (manual)

cd /opt/openldap

docker compose down

Arrancar OpenLDAP (con SystemD)

Crear fichero SystemD

vi /etc/systemd/system/openldap.service

[Unit]
Description=OpenLDAP (Docker Compose)
After=docker.service network-online.target
Requires=docker.service
Wants=network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/openldap
ExecStart=/usr/bin/docker compose up --detach --remove-orphans --quiet-pull
ExecStop=/usr/bin/docker compose down --remove-orphans --volumes --timeout 30
TimeoutStartSec=180
TimeoutStopSec=120
Restart=on-failure
RestartSec=7

[Install]
WantedBy=multi-user.target

Arrancar y habilitar

systemctl daemon-reload

systemctl start openldap

systemctl enabled openldap

Referencias

Diferencia entre revisiones de «OpenLDAP»

Revisión actual - 19:09 22 mar 2026

Sumario

Instalación OpenLDAP en Docker

Requisitos

Entorno de DEV

Descargar imagen

Ejecutar contenedor en Docker Desktop (DEV)

Pruebas

Entorno de PRO

Instalar módulo Stream de Nginx

Configuración módulo Stream

Configurar Virtual Host para LDAP (para HTTP)

Generar certificados Let's Encrypt

Configurar Virtual Host para LDAP (para Stream)

Habilitar LDAPS en FirewallD

Crear carpetas para OpenLDAP

Generar fichero YAML

Arrancar OpenLDAP (manual)

Parar OpenLDAP (manual)

Arrancar OpenLDAP (con SystemD)

Referencias

Menú de navegación

Diferencia entre revisiones de «OpenLDAP»

Revisión actual - 19:09 22 mar 2026

Instalación OpenLDAP en Docker

Requisitos

Entorno de DEV

Descargar imagen

Ejecutar contenedor en Docker Desktop (DEV)

Pruebas

Entorno de PRO

Instalar módulo Stream de Nginx

Configuración módulo Stream

Configurar Virtual Host para LDAP (para HTTP)

Generar certificados Let's Encrypt

Configurar Virtual Host para LDAP (para Stream)

Habilitar LDAPS en FirewallD

Crear carpetas para OpenLDAP

Generar fichero YAML

Arrancar OpenLDAP (manual)

Parar OpenLDAP (manual)

Arrancar OpenLDAP (con SystemD)

Referencias

Menú de navegación

Buscar