Update INSTALL.md

2025-11-05 06:22:54 -05:00 · 2025-11-05 06:22:54 -05:00 · 4ca76359dc
commit 4ca76359dc
parent 3b8e2d5c43
1 changed files with 64 additions and 3 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -290,6 +290,67 @@ root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_key.pem
 Bundle our certs (CA and server) into one and set the right perms
 ```
 root@example:/etc/ldap/certs# cat ldap01_slapd_cert.pem ca-cert.pem > ldap01_slapd_cert_full.pem
-chown root:openldap ldap01_slapd_cert_full.pem
-chmod 640 ldap01_slapd_cert_full.pem
+root@example:/etc/ldap/certs# chown root:openldap ldap01_slapd_cert_full.pem
+root@example:/etc/ldap/certs# chmod 640 ldap01_slapd_cert_full.pem
+```
+\
+Restart slapd (copy and paste as a single line)
+```
+root@example:/etc/ldap/certs# slapd -h "ldap:/// ldapi:/// ldaps:///" -u openldap -g openldap &
+sleep 3
+```
+Re-apply TLS config
+```
+root@example:/etc/ldap/certs# cat > /tmp/certinfo.ldif <<EOF
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/certs/ca-cert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/certs/ldap01_slapd_cert_full.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/certs/ldap01_slapd_key.pem
+EOF
+```
+```
+root@example:/etc/ldap/certs# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+```
+Add CA certificate to system trust directory
+```
+root@example:/etc/ldap/certs# cp /etc/ldap/certs/ca-cert.pem /usr/local/share/ca-certificates/mycacert.crt
+root@example:/etc/ldap/certs# update-ca-certificates
+```
+\
+Stop temp, start final with LDAPS
+```
+root@example:/etc/ldap/certs# pkill slapd
+root@example:/etc/ldap/certs# slapd -h "ldap:/// ldaps:/// ldapi:///" -u openldap -g openldap -d 0 &
+```
+
+Finally set this ENV variable and make it permanent
+```
+root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
+root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
+root@example:/etc/ldap/certs# source ~/.bashrc
+```
+\
+Check STARTTLS
+```
+root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://example.com
+```
+Check SSL/ldaps
+```
+root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://example.com
+```
+Both should return Anonymous.
+
+To connect to the server via `STARTTLS`, use port 389, auth method Simple
+
+To connect to the server via `SSL`, use port 636, auth method Simple, copy and accept the certificate if asked, or copy the CA file out of the container ldapdock with:`
+```
+# sudo docker cp ldapdock:/etc/ldap/certs/ca-cert.pem ./mycacert.crt
+# sudo cp mycacert.crt /usr/local/share/ca-certificates/
+# sudo update-ca-certificates
 ```