In this guide, you’ll learn how to install and configure OpenLDAP on Ubuntu 24.04, and expose it securely using HAProxy running on OPNsense as an SSL offloading proxy for ldaps:// on port 636.
We will:
- Configure
OpenLDAPto listen on unencrypted port389(LAN-only) - Configure
OPNsense HAProxyto:
Accept LDAPS connections on port636
Terminate SSL
Forward plain LDAP to the OpenLDAP server
Network Architecture
[ Client (ldaps://ldap.maksonlee.com:636) ]
↓
[ OPNsense HAProxy (SSL offloading on 636) ]
↓ (plain LDAP)
[ Ubuntu 24.04 OpenLDAP Server (listening on 389) ]
- Install OpenLDAP on Ubuntu
Install required packages:
sudo apt install slapd ldap-utils -y
At this point, Ubuntu might install slapd non-interactively and only prompt for admin password.
- Configure
sudo dpkg-reconfigure slapd
Answer All Prompts Like This
| Prompt | Answer |
|---|---|
| Omit OpenLDAP server configuration? | No |
| DNS domain name | maksonlee.com |
| Organization name | Makson Lee |
| Administrator password | (your strong password) |
| Confirm password | (repeat password) |
| Do you want the database removed when purged? | No |
| Move old database? | Yes |
- Verify Configuration
ldapsearch -H ldap://localhost -x \
-D "cn=admin,dc=maksonlee,dc=com" -W \
-b dc=maksonlee,dc=com
If successful, you should see something like:
# maksonlee.com
dn: dc=maksonlee,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Makson Lee
dc: maksonlee
- Create a Basic Directory Tree (Optional)
Create a file base.ldif:
dn: ou=people,dc=maksonlee,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=maksonlee,dc=com
objectClass: organizationalUnit
ou: groups
Add it to LDAP:
ldapadd -x -D "cn=admin,dc=maksonlee,dc=com" -W -f base.ldif
- SSL Offloading via HAProxy on OPNsense
You should already have:
- HAProxy and ACME plugins installed on OPNsense
- A valid cert for
ldap.maksonlee.comvia DNS-01 challenge - HAProxy frontend on port 636, using the cert
- HAProxy backend pointing to your OpenLDAP server on port 389
This way:
- Clients connect securely via
ldaps://ldap.maksonlee.com:636 - HAProxy decrypts TLS and forwards plain LDAP to your server
🔗 Related setup posts:
- Let’s Encrypt on OPNsense 25.1 using DNS-01 with Cloudflare
- Set Up HAProxy for TLS Passthrough with SNI Routing on OPNsense
Note: This guide uses SSL offloading, not TLS passthrough. But if you’re interested in routing encrypted LDAPS traffic based on SNI without terminating TLS, the second link shows how.
Did this guide save you time?
Support this site