From c4b53401de45c27eb31cfca571e5d9e3ba39dd1c Mon Sep 17 00:00:00 2001 From: Marisa Date: Sun, 7 Dec 2025 08:54:24 -0500 Subject: [PATCH] Update INSTALL.md --- INSTALL.md | 77 ++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 57 insertions(+), 20 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index 7902fd1..9b1d61a 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -366,31 +366,64 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc root@example:/etc/ldap/certs# source ~/.bashrc ``` +## _6- Connect to OpenLDAP server via StartTLS/SSL_ + +Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\ +1.Check StartTLS and SSL, both should output "anonymous" +``` +root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST} +anonymous +root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST} +anonymous +``` \ -Check STARTTLS +2.Check direct connection via openssl to confirm certificates are working properly: ``` -root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST} +root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS +CONNECTED(00000003) +depth=1 CN = Example Company CA +verify return:1 +depth=0 O = Example Company, CN = example.com +verify return:1 +... +SSL handshake has read 2977 bytes and written 424 bytes +Verification: OK +--- +New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 +Server public key is 2048 bit +Secure Renegotiation IS NOT supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 0 (ok) +root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL +CONNECTED(00000003) +depth=1 CN = Example Company CA +verify return:1 +depth=0 O = Example Company, CN = example.com +verify return:1 +... +SSL handshake has read 2963 bytes and written 393 bytes +Verification: OK +--- +New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 +Server public key is 2048 bit +Secure Renegotiation IS NOT supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 0 (ok) ``` -Check SSL/ldaps -``` -root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST} -``` -Both should return Anonymous. +The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C. -Another example to try STARTTLS/ldap it is working: +3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: ``` -# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} -``` -SSL/ldaps -``` -# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} -``` -Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com) - -A very important check to make sure connections as users other than admin can be made via StartTLS: -``` -# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 +root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS dn:uid=marisa,ou=People,dc=example,dc=com +root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL +dn:uid=marisa,ou=People,dc=example,dc=com ``` To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. @@ -401,5 +434,9 @@ If asked, accept the certificate as with any certificate, or copy the CA file th > sudo update-ca-certificates ``` In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\ -BIND DN=cn=admin,dc=example,dc=com\ +As admin: +BIND DN="cn=admin,dc=example,dc=com"\ BIND password=admin +As marisa: +BIND DN="uid=marisa,ou=People,dc=example,dc=com"\ +BIND password=MarisaNewPass2025 \ No newline at end of file