From 4ca76359dcb23d88084999f596476f22399e8af2 Mon Sep 17 00:00:00 2001
From: Marisa <leandromatias.martinez@gmail.com>
Date: Wed, 5 Nov 2025 06:22:54 -0500
Subject: [PATCH] Update INSTALL.md

---
 INSTALL.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 64 insertions(+), 3 deletions(-)

diff --git a/INSTALL.md b/INSTALL.md
index d894558..553f856 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -290,6 +290,67 @@ root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_key.pem
 Bundle our certs (CA and server) into one and set the right perms
 ```
 root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
-chown root:openldap ldap01_slapd_cert_full.pem
-chmod 640 ldap01_slapd_cert_full.pem
-```
\ No newline at end of file
+root@example:/etc/ldap/certs# chown root:openldap ldap01_slapd_cert_full.pem
+root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_cert_full.pem
+```
+\
+Restart slapd (copy and paste as a single line)
+```
+root@example:/etc/ldap/certs# slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
+sleep 3
+```
+Re-apply TLS config
+```
+root@example:/etc/ldap/certs# cat > /tmp/certinfo.ldif <<EOF
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
+EOF
+```
+```
+root@example:/etc/ldap/certs# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+```
+Add CA certificate to system trust directory
+```
+root@example:/etc/ldap/certs# cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
+root@example:/etc/ldap/certs# update-ca-certificates
+```
+\
+Stop temp, start final with LDAPS
+```
+root@example:/etc/ldap/certs# pkill slapd
+root@example:/etc/ldap/certs# slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
+```
+
+Finally set this ENV variable and make it permanent
+```
+root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
+root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
+root@example:/etc/ldap/certs# source ~/.bashrc
+```
+\
+Check STARTTLS
+```
+root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://example.com
+```
+Check SSL/ldaps
+```
+root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://example.com
+```
+Both should return Anonymous.
+
+To connect to the server via `STARTTLS`, use port 389, auth method Simple
+
+To connect to the server via `SSL`, use port 636, auth method Simple, copy and accept the certificate if asked, or copy the CA file out of the container ldapdock with:`
+```
+# sudo docker cp ldapdock:/etc/ldap/certs/ca-cert.pem ./mycacert.crt
+# sudo cp mycacert.crt /usr/local/share/ca-certificates/
+# sudo update-ca-certificates
+```