okasion/ldapdock
2
1
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Update INSTALL.md

Browse Source
This commit is contained in:
Marisa 2025-11-05 06:22:54 -05:00
parent 3b8e2d5c43
commit 4ca76359dc
1 changed files with 64 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
INSTALL.md
View File

@ -290,6 +290,67 @@ root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_key.pem
Bundle our certs (CA and server) into one and set the right perms Bundle our certs (CA and server) into one and set the right perms
``` ```
root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
chown root:openldap ldap01_slapd_cert_full.pem root@example:/etc/ldap/certs# chown root:openldap ldap01_slapd_cert_full.pem
chmod 640 ldap01_slapd_cert_full.pem root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_cert_full.pem
```
\
Restart slapd (copy and paste as a single line)
```
root@example:/etc/ldap/certs# slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
sleep 3
```
Re-apply TLS config
```
root@example:/etc/ldap/certs# cat > /tmp/certinfo.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
EOF
```
```
root@example:/etc/ldap/certs# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
```
Add CA certificate to system trust directory
```
root@example:/etc/ldap/certs# cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
root@example:/etc/ldap/certs# update-ca-certificates
```
\
Stop temp, start final with LDAPS
```
root@example:/etc/ldap/certs# pkill slapd
root@example:/etc/ldap/certs# slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
```
Finally set this ENV variable and make it permanent
```
root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
root@example:/etc/ldap/certs# source ~/.bashrc
```
\
Check STARTTLS
```
root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://example.com
```
Check SSL/ldaps
```
root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://example.com
```
Both should return Anonymous.
To connect to the server via `STARTTLS`, use port 389, auth method Simple
To connect to the server via `SSL`, use port 636, auth method Simple, copy and accept the certificate if asked, or copy the CA file out of the container ldapdock with:`
```
# sudo docker cp ldapdock:/etc/ldap/certs/ca-cert.pem ./mycacert.crt
# sudo cp mycacert.crt /usr/local/share/ca-certificates/
# sudo update-ca-certificates
``` ```