Update INSTALL.md

INSTALL.md

@@ -1,25 +1,25 @@
 # ldapdock
-*_a configurable container running openLDAP_*
+*_a configurable secure openLDAP based container_*
 
 Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container
 
 ## _1- Creating the ldapdock image container_
 
-build ldapdock from the dockerfile and run into it
+build ldapdock from the dockerfile and run into it, creating the proper volumes to save databases data, config data, and certs data
 
 ```
 > docker build -t ldapdock /path/to/dockerfile
 ```
 
 ```
-> docker run -i -t -p 389:389 -p 636:636 -h example.com -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d ldapdock
+> docker run -i -t -p 389:389 -p 636:636 -h example.com -v ldap_data:/var/lib/ldap -v ldap_config:/etc/ldap/slapd.d -v ldap_certs:/etc/ldap/certs ldapdock
 ```
 
 ## _2- Run the openLDAP server and populate a directory_
 
 Use the following command to start openLDAP
 ```
-root@example:/# slapd -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap -F /etc/ldap/slapd.d
+root@example:/# slapd -h "ldap:/// ldapi:/// ldaps:///" -g openldap -u openldap
 ```
 
 Create some groups and users to populate a directory
@@ -151,6 +151,7 @@ adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config"
 ```
 The policies module has been loaded and we can begin to configure password schemas and ACLs.
 -->
+<!--
 ## _4- Configure default password policies_
 
 Create a basic overlay of your password policies:
@@ -228,3 +229,67 @@ Password "marisakirisame" is accepted because we established before pwdMinLength
 root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame
 ```
 "kirisame" is rejected because it's only 8 length characters.
+-->
+## _4- Configure TLS/SSL certificates_
+
+Create cert directories and generate certificates
+```
+root@example:/# mkdir -p /etc/ldap/certs
+root@example:/# cd /etc/ldap/certs
+```
+CA key
+```
+root@example:/etc/ldap/certs# certtool --generate-privkey --bits 4096 --outfile ca-key.pem
+```
+CA template
+```
+root@example:/etc/ldap/certs# cat > ca.info <<EOF
+cn = Example Company CA
+ca
+cert_signing_key
+expiration_days = 3650
+EOF
+```
+CA certificate
+```
+root@example:/etc/ldap/certs# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.info --outfile ca-cert.pem
+```
+\
+Now let's generate the key, template, and certificate of the openLDAP server\
+Server key
+```
+root@example:/etc/ldap/certs# certtool --generate-privkey --bits 2048 --outfile ldap01_slapd_key.pem
+```
+Server template
+```
+root@example:/etc/ldap/certs# cat > ldap01.info <<EOF
+organization = Example Company
+cn = example.com
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 365
+EOF
+```
+Server certificate
+```
+root@example:/etc/ldap/certs# certtool --generate-certificate \
+  --load-privkey ldap01_slapd_key.pem \
+  --load-ca-certificate ca-cert.pem \
+  --load-ca-privkey ca-key.pem \
+  --template ldap01.info \
+  --outfile ldap01_slapd_cert.pem
+```
+\
+Last but not least, fix some permissions because certificates are very delicate when checking authorization
+```
+root@example:/etc/ldap/certs# chgrp openldap ldap01_slapd_key.pem
+root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_key.pem
+```
+\
+Bundle our certs (CA and server) into one and set the right perms
+```
+root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
+chown root:openldap ldap01_slapd_cert_full.pem
+chmod 640 ldap01_slapd_cert_full.pem
+```