In this guide, you’ll learn how to install and configure OpenLDAP on Ubuntu 24.04, and expose it securely using HAProxy running on OPNsense as an SSL offloading proxy for ldaps:// on port 636.
We will:
- Configure
OpenLDAPto listen on unencrypted port389(LAN-only) - Configure
OPNsense HAProxyto:
Accept LDAPS connections on port636
Terminate SSL
Forward plain LDAP to the OpenLDAP server
Network Architecture
[ Client (ldaps://ldap.maksonlee.com:636) ]
↓
[ OPNsense HAProxy (SSL offloading on 636) ]
↓ (plain LDAP)
[ Ubuntu 24.04 OpenLDAP Server (listening on 389) ]
- Install OpenLDAP on Ubuntu
Install required packages:
sudo apt install slapd ldap-utils -y
At this point, Ubuntu might install slapd non-interactively and only prompt for admin password.
- Configure
sudo dpkg-reconfigure slapd
Answer All Prompts Like This
| Prompt | Answer |
|---|---|
| Omit OpenLDAP server configuration? | No |
| DNS domain name | maksonlee.com |
| Organization name | Makson Lee |
| Administrator password | (your strong password) |
| Confirm password | (repeat password) |
| Do you want the database removed when purged? | No |
| Move old database? | Yes |
- Verify Configuration
ldapsearch -H ldap://localhost -x \
-D "cn=admin,dc=maksonlee,dc=com" -W \
-b dc=maksonlee,dc=com
If successful, you should see something like:
# maksonlee.com
dn: dc=maksonlee,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Makson Lee
dc: maksonlee
- Create a Basic Directory Tree (Optional)
Create a file base.ldif:
dn: ou=people,dc=maksonlee,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=maksonlee,dc=com
objectClass: organizationalUnit
ou: groups
Add it to LDAP:
ldapadd -x -D "cn=admin,dc=maksonlee,dc=com" -W -f base.ldif
- SSL Offloading via HAProxy on OPNsense
You should already have:
- HAProxy and ACME plugins installed on OPNsense
- A valid cert for
ldap.maksonlee.comvia DNS-01 challenge - HAProxy frontend on port 636, using the cert
- HAProxy backend pointing to your OpenLDAP server on port 389
This way:
- Clients connect securely via
ldaps://ldap.maksonlee.com:636 - HAProxy decrypts TLS and forwards plain LDAP to your server
🔗 Related setup posts:
- Let’s Encrypt on OPNsense 25.1 using DNS-01 with Cloudflare
- Set Up HAProxy for TLS Passthrough with SNI Routing on OPNsense
Note: This guide uses SSL offloading, not TLS passthrough. But if you’re interested in routing encrypted LDAPS traffic based on SNI without terminating TLS, the second link shows how.