From 512f07eb2597f966910e1526a1edc1ce24b1ffac Mon Sep 17 00:00:00 2001 From: Marisa Date: Sun, 14 Dec 2025 14:00:34 -0500 Subject: [PATCH] Update INSTALL.md --- INSTALL.md | 75 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 9b727c7..9b1d61a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -366,26 +366,65 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc root@example:/etc/ldap/certs# source ~/.bashrc ``` -\ -Check STARTTLS -``` -root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST} -``` -Check SSL/ldaps -``` -root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST} -``` -Both should return Anonymous. +## _6- Connect to OpenLDAP server via StartTLS/SSL_ -Another example to try STARTTLS/ldap it is working: +Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\ +1.Check StartTLS and SSL, both should output "anonymous" ``` -openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} +root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST} +anonymous +root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST} +anonymous ``` -SSL/ldaps +\ +2.Check direct connection via openssl to confirm certificates are working properly: ``` -openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} +root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS +CONNECTED(00000003) +depth=1 CN = Example Company CA +verify return:1 +depth=0 O = Example Company, CN = example.com +verify return:1 +... +SSL handshake has read 2977 bytes and written 424 bytes +Verification: OK +--- +New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 +Server public key is 2048 bit +Secure Renegotiation IS NOT supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 0 (ok) +root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL +CONNECTED(00000003) +depth=1 CN = Example Company CA +verify return:1 +depth=0 O = Example Company, CN = example.com +verify return:1 +... +SSL handshake has read 2963 bytes and written 393 bytes +Verification: OK +--- +New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 +Server public key is 2048 bit +Secure Renegotiation IS NOT supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 0 (ok) +``` +The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C. + +3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: +``` +root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS +dn:uid=marisa,ou=People,dc=example,dc=com +root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL +dn:uid=marisa,ou=People,dc=example,dc=com ``` -Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com) To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. If asked, accept the certificate as with any certificate, or copy the CA file that resides inside ldapdock from out of the container to our host system certificate trust directory (/usr/local/share/ca-certificates/ works for any Debian based distribution): @@ -395,5 +434,9 @@ If asked, accept the certificate as with any certificate, or copy the CA file th > sudo update-ca-certificates ``` In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\ -BIND DN=cn=admin,dc=example,dc=com\ +As admin: +BIND DN="cn=admin,dc=example,dc=com"\ BIND password=admin +As marisa: +BIND DN="uid=marisa,ou=People,dc=example,dc=com"\ +BIND password=MarisaNewPass2025 \ No newline at end of file