.

2025-12-07 12:43:44 -03:00 · 2025-12-07 12:43:44 -03:00 · fce53742db
commit fce53742db
parent 9ba26eebef
1 changed files with 15 additions and 58 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -366,65 +366,26 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
 root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
 root@example:/etc/ldap/certs# source ~/.bashrc
 ```
 ## _6- Connect to OpenLDAP server via StartTLS/SSL_
 Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\
 1.Check StartTLS and SSL, both should output "anonymous"
 ```
 root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
 anonymous
 root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST}
 anonymous
 ```
 \
-2.Check direct connection via openssl to confirm certificates are working properly:
+Check STARTTLS
 ```
-root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS
+root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
 CONNECTED(00000003)
 depth=1 CN = Example Company CA
 verify return:1
 depth=0 O = Example Company, CN = example.com
 verify return:1
 ...
 SSL handshake has read 2977 bytes and written 424 bytes
 Verification: OK
 ---
 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 0 (ok)
 root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL
 CONNECTED(00000003)
 depth=1 CN = Example Company CA
 verify return:1
 depth=0 O = Example Company, CN = example.com
 verify return:1
 ...
 SSL handshake has read 2963 bytes and written 393 bytes
 Verification: OK
 ---
 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE
 No ALPN negotiated
 Early data was not sent
 Verify return code: 0 (ok)
 ```
-The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C.
+Check SSL/ldaps
 ```
 root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST}
 ```
 Both should return Anonymous.
-3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: 
+Another example to try STARTTLS/ldap it is working:
 ```
-root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS
+openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST}
 dn:uid=marisa,ou=People,dc=example,dc=com
 root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL
 dn:uid=marisa,ou=People,dc=example,dc=com 
 ```
 SSL/ldaps
 ```
 openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST}
 ```
 Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com)
 To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. 
 If asked, accept the certificate as with any certificate, or copy the CA file that resides inside ldapdock from out of the container to our host system certificate trust directory (/usr/local/share/ca-certificates/ works for any Debian based distribution):
@ -434,9 +395,5 @@ If asked, accept the certificate as with any certificate, or copy the CA file th
 > sudo update-ca-certificates
 ```
 In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\
-As admin:
+BIND DN=cn=admin,dc=example,dc=com\
 BIND DN="cn=admin,dc=example,dc=com"\
 BIND password=admin
 As marisa:
 BIND DN="uid=marisa,ou=People,dc=example,dc=com"\
 BIND password=MarisaNewPass2025