Diferencia entre revisiones de «OpenLDAP»

De Wiki Castanedo.es
Ir a la navegación Ir a la búsqueda
Sin resumen de edición
Sin resumen de edición
Línea 72: Línea 72:
[...]
[...]
stream {
stream {
# TLS Settings
# Log format
ssl_protocols TLSv1.2 TLSv1.3;
log_format stream_format '$remote_addr [$time_local] '
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
'$protocol $status $bytes_sent $bytes_received '
ssl_prefer_server_ciphers on;
'$session_time "$upstream_addr"';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
include /etc/nginx/stream-enabled/*;
include /etc/nginx/stream-enabled/*;
}
}
Línea 86: Línea 82:
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight>
<syntaxhighlight lang="Bash">systemctl restart nginx</syntaxhighlight>


=== Configurar Virtual Host para ldap ===
=== Configurar Virtual Host para LDAP (para HTTP) ===
* Añadir Virtual Host:
* Añadir Virtual Host:
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight>
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight>
Línea 167: Línea 163:
* Activar Virtual Host:
* Activar Virtual Host:
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight>
<syntaxhighlight lang="Bash">ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net</syntaxhighlight>
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight>
=== Configurar Virtual Host para LDAP (para Stream) ===
* Añadir Virtual Host:
<syntaxhighlight lang="Bash">sudo -i</syntaxhighlight>
<syntaxhighlight lang="Bash">vi /etc/nginx/stream-available/ldap.culturetas.net</syntaxhighlight>
<syntaxhighlight lang="text">
########################
# STREAM REVERSE PROXY #
########################
# Nginx Stream allow load balancer to TCP or UDP ports (no HTTP).
upstream ldap_backend {
server 127.0.0.1:389 max_fails=3 fail_timeout=30s;
# Opcional: High Availability
# server 192.168.10.45:389 backup;
}
server {
# LDAPS port (636/tcp)
listen 636 ssl;
# SSL/TLS Certificates
ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;
# TLS Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# Forwarding to plain LDAP (LDAPS -> LDAP)
proxy_pass ldap_backend;
# LDAP timeouts
proxy_connect_timeout 5s;
proxy_timeout 3m;
# Logging (stream format)
access_log /var/log/nginx/ldaps.culturetas.net-access.log stream_format;
error_log /var/log/nginx/ldaps.culturetas.net-error.log warn;
}
</syntaxhighlight>
* Activar Virtual Host:
<syntaxhighlight lang="Bash">ln -s /etc/nginx/stream-available/ldap.culturetas.net /etc/nginx/stream-enabled/ldap.culturetas.net</syntaxhighlight>
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight>
<syntaxhighlight lang="Bash">systemctl reload nginx</syntaxhighlight>


Revisión del 15:48 22 mar 2026

Instalación OpenLDAP en Docker

Instalación de vegardit/openldap en Docker. Se va a usar los siguientes protocolos:

  • LDAP (puerto 389/tcp): sólo en localhost
  • LDAPS (puerto 636/tcp): publicado con Nginx como reserve proxy (en PRO)

Requisitos

Para poder realizar esta configuración se necesita:

  • Servidor GNU Linux (ver Securizar Ubuntu Server)
    • Cortafuegos FirewallD (UFW tiene problemas con Docker)
  • Docker Engine (ver Docker Engine)
    • Módulo: Docker Compose (para PRO)
  • Nginx (ver LEMP)
    • Módulo: Nginx Stream (incluido en Ubuntu)

Entorno de DEV

Como entorno de DEV se va a usar Docker Desktop.

Descargar imagen

Vamos a usar la imagen que es la latest a día de hoy (2.6.10). 

docker pull vegardit/openldap:2.6.10

Ejecutar contenedor en Docker Desktop (DEV)

Vamos a usar la imagen sólo con LDAP (389/tcp) solo para localhost. IMPORTANTE: para añadir SSL/TLS usaremos Nginx. 

docker run -d --name openldap \
 --hostname ldapdev.culturetas.net \
 --env LDAP_INIT_ORG_DN="dc=culturetas,dc=net" \
 --env LDAP_INIT_ORG_NAME="Culturetas SPQR" \
 --env LDAP_INIT_ROOT_USER_DN='uid=admin,dc=culturetas,dc=net' \
 --env LDAP_INIT_ROOT_USER_PW="CONTRASEÑA" \
 --env LDAP_INIT_PPOLICY_PW_MIN_LENGTH='12' \
 --env LDAP_INIT_ADMIN_GROUP_DN='cn=ldap-admins,ou=Groups,dc=culturetas,dc=net' \
 --env LDAP_INIT_PASSWORD_RESET_GROUP_DN='cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net' \
 --env LDAP_INIT_RFC2307BIS_SCHEMA=0 \
 --env LDAP_INIT_ALLOW_CONFIG_ACCESS='true' \
 -p 127.0.0.1:389:389 \
 -v ldap-data:/var/lib/ldap -v ldap-config:/etc/ldap/slapd.d \
 vegardit/openldap:2.6.10

Nota: OpenSSL soporta SSL/TLS, pero con vegardit/openldap no funciona correctamente y tras un handshake correcot, no completa siempre la autenticación (usaremos un reverse proxy como alternativa y es más seguro).

Pruebas

Vamos a probar a conectar usando Apache Directory Studio.

  • Hostname: 127.0.0.1
  • Port: 389
  • Encryption: LDAP
  • Bind DN: uid=admin,dc=culturetas,dc=net
  • Bind password: CONTRASEÑA

Entorno de PRO

En el entorno de PRO se va a desplegar transformando la configuración de Docker Desktop en fichero YAML de Docker Composer.

Instalar módulo Stream de Nginx

Nginx con módulo Stream permite balancear a puertos TCP o UDP (que no sean HTTP). No viene con el paquete estándar de Nginx, se instala aparte: 

apt install libnginx-mod-stream

systemctl restart nginx

Configuración módulo Stream

  • Backup nginx.conf
cp -a /etc/nginx/nginx.conf /etc/nginx/nginx.conf.20260322
  • Crear carpeta para Stream
mkdir /etc/nginx/stream-available

mkdir /etc/nginx/stream-enabled
  • Añadir configuración para Stream
vi /etc/nginx/nginx.conf

[...]
stream {
	# Log format
	log_format stream_format '$remote_addr [$time_local] '
							 '$protocol $status $bytes_sent $bytes_received '
							 '$session_time "$upstream_addr"';
	include /etc/nginx/stream-enabled/*;
}
[...]

systemctl restart nginx

Configurar Virtual Host para LDAP (para HTTP)

  • Añadir Virtual Host:
sudo -i

vi /etc/nginx/sites-available/ldap.culturetas.net

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        # Redirect HTTP to HTTPS
        listen 80;
        listen [::]:80;
        server_name ldap.culturetas.net;
        # Redirect HTTP to HTTPS
        return 301 https://$host$request_uri;
}

server {
        # SSL configuration
        #
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/ldap.culturetas.net;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm;

        server_name ldap.culturetas.net;

        access_log /var/log/nginx/ldap.culturetas.net-access.log;
        error_log /var/log/nginx/ldap.culturetas.net-error.log;

#       # Auth Basic (for developing)
#       auth_basic "Pagina Restringida";
#       auth_basic_user_file /etc/nginx/passwd/passwd-culturetas.net;

        # Activate HSTS (HTTP Strict Transport Security)
        # Note: reinclude if in a location a header is set
        include snippets/hsts.conf;

        # Allow favicon.ico, robots.txt, .well-known/
        # Deny *.txt, *.log, .*/*.php, .*, *.json, .lock, *.ht
        include snippets/allowed.conf;
        include snippets/denied.conf;

        # Redirect all to Keycloak
        return 301 https://entrar.culturetas.net;
}
  • Crear carpeta para VirtualHost:
mkdir /var/www/ldap.culturetas.net
  • Activar Virtual Host:
ln -s /etc/nginx/sites-available/ldap.culturetas.net /etc/nginx/sites-enabled/ldap.culturetas.net

systemctl reload nginx

Configurar Virtual Host para LDAP (para Stream)

  • Añadir Virtual Host:
sudo -i

vi /etc/nginx/stream-available/ldap.culturetas.net

########################
# STREAM REVERSE PROXY #
########################

# Nginx Stream allow load balancer to TCP or UDP ports (no HTTP).
upstream ldap_backend {
	server 127.0.0.1:389 max_fails=3 fail_timeout=30s;
	# Opcional: High Availability
	# server 192.168.10.45:389 backup;
}

server {
	# LDAPS port (636/tcp)
	listen 636 ssl;

	# SSL/TLS Certificates
	ssl_certificate /etc/letsencrypt/live/culturetas.net/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/culturetas.net/privkey.pem;

	# TLS Settings
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;
	
	# Forwarding to plain LDAP (LDAPS -> LDAP)
	proxy_pass ldap_backend;

	# LDAP timeouts
	proxy_connect_timeout 5s;
	proxy_timeout 3m;

	# Logging (stream format)
	access_log /var/log/nginx/ldaps.culturetas.net-access.log stream_format;
	error_log /var/log/nginx/ldaps.culturetas.net-error.log warn;
}
  • Activar Virtual Host:
ln -s /etc/nginx/stream-available/ldap.culturetas.net /etc/nginx/stream-enabled/ldap.culturetas.net

systemctl reload nginx

Generar certificados Let's Encrypt

certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ldap.culturetas.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for ldap.culturetas.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ldap.culturetas.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem
This certificate expires on 2026-06-19.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for ldap.culturetas.net to /etc/nginx/sites-enabled/ldap.culturetas.net
Congratulations! You have successfully enabled HTTPS on https://ldap.culturetas.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Crear carpetas

mkdir -p /opt/openldap/data

Generar fichero YAML

vi /opt/openldap/compose.yaml

name: openldap
services:
    openldap:
        container_name: openldap
        hostname: ldap.culturetas.net
        environment:
            - LDAP_INIT_ORG_DN=dc=culturetas,dc=net
            - LDAP_INIT_ORG_NAME=Culturetas SPQR
            - LDAP_INIT_ROOT_USER_DN=uid=admin,dc=culturetas,dc=net
            - LDAP_INIT_ROOT_USER_PW=CONTRASEÑA
            - LDAP_INIT_PPOLICY_PW_MIN_LENGTH=12
            - LDAP_INIT_ADMIN_GROUP_DN=cn=ldap-admins,ou=Groups,dc=culturetas,dc=net
            - LDAP_INIT_PASSWORD_RESET_GROUP_DN=cn=ldap-password-reset,ou=Groups,dc=culturetas,dc=net
            - LDAP_INIT_RFC2307BIS_SCHEMA=0
            - LDAP_INIT_ALLOW_CONFIG_ACCESS=true
            - LDAP_TLS_ENABLED=true
            - LDAP_LDAPS_ENABLED=true
            - LDAP_TLS_CERT_FILE=/run/secrets/ldap/ldap.culturetas.net.crt
            - LDAP_TLS_KEY_FILE=/run/secrets/ldap/ldap.culturetas.net.key
            - LDAP_TLS_CA_FILE=/run/secrets/ldap/ca.crt
            - LDAP_TLS_VERIFY_CLIENT=never
        ports:
            - 389:389
            - 636:636
        volumes:
            - /opt/openldap/data/var:/var/lib/ldap
            - /opt/openldap/data/etc:/etc/ldap/slapd.d
            - /etc/letsencrypt/live/ldap.culturetas.net/cert.pem:/run/secrets/ldap/ldap.culturetas.net.crt
            - /etc/letsencrypt/live/ldap.culturetas.net/privkey.pem:/run/secrets/ldap/ldap.culturetas.net.key
            - /etc/letsencrypt/live/ldap.culturetas.net/chain.pem:/run/secrets/ldap/ca.crt
        image: vegardit/openldap:2.6.10

Arrancar OpenLDAP en PRO

cd /opt/openldap

docker compose up -d

Arrancar OpenLDAP con SystemD

Configuración de FirewallD

Referencias

Obtenido de «https://wiki.castanedo.es/index.php?title=OpenLDAP&oldid=144»