Update INSTALL.md

INSTALL.md

@@ -366,31 +366,64 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
 root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
 root@example:/etc/ldap/certs# source ~/.bashrc
 ```
+## _6- Connect to OpenLDAP server via StartTLS/SSL_
+
+Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\
+1.Check StartTLS and SSL, both should output "anonymous"
+```
+root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
+anonymous
+root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST}
+anonymous
+```
 \
-Check STARTTLS
+2.Check direct connection via openssl to confirm certificates are working properly:
 ```
-root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
+root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2977 bytes and written 424 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2963 bytes and written 393 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
 ```
-Check SSL/ldaps
+The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C.
-```
-root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST}
-```
-Both should return Anonymous.
 
-Another example to try STARTTLS/ldap it is working:
+3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: 
 ```
-# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST}
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS
-```
-SSL/ldaps
-```
-# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST}
-```
-Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com)
-
-A very important check to make sure connections as users other than admin can be made via StartTLS:
-```
-# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1
 dn:uid=marisa,ou=People,dc=example,dc=com
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL
+dn:uid=marisa,ou=People,dc=example,dc=com 
 ```
 
 To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. 
@@ -401,5 +434,9 @@ If asked, accept the certificate as with any certificate, or copy the CA file th
 > sudo update-ca-certificates
 ```
 In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\
-BIND DN=cn=admin,dc=example,dc=com\
+As admin:
+BIND DN="cn=admin,dc=example,dc=com"\
 BIND password=admin
+As marisa:
+BIND DN="uid=marisa,ou=People,dc=example,dc=com"\
+BIND password=MarisaNewPass2025