Update INSTALL.md

installl.md updated to fully test TLS/SSL

INSTALL.md

@@ -366,26 +366,65 @@ root@example:/etc/ldap/certs# export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem
 root@example:/etc/ldap/certs# echo 'export LDAPTLS_CACERT=/etc/ldap/certs/ca-cert.pem' >> ~/.bashrc
 root@example:/etc/ldap/certs# source ~/.bashrc
 ```
-\
-Check STARTTLS
-```
-root@example:/etc/ldap/certs# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
-```
-Check SSL/ldaps
-```
-root@example:/etc/ldap/certs# ldapwhoami -x -H ldaps://${LDAP_HOST}
-```
-Both should return Anonymous.
+## _6- Connect to OpenLDAP server via StartTLS/SSL_
 
-Another example to try STARTTLS/ldap it is working:
+Vital checks of different levels to test **openLDAP's StartTLS and SSL**:\
+1.Check StartTLS and SSL, both should output "anonymous"
 ```
-openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST}
+root@example:/# ldapwhoami -x -ZZ -H ldap://${LDAP_HOST}
+anonymous
+root@example:/# ldapwhoami -x -H ldaps://${LDAP_HOST}
+anonymous
 ```
-SSL/ldaps
+\
+2.Check direct connection via openssl to confirm certificates are working properly:
 ```
-openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST}
+root@example:/# openssl s_client -connect ${LDAP_HOST}:389 -starttls ldap -servername ${LDAP_HOST} #StartTLS
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2977 bytes and written 424 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+root@example:/# openssl s_client -connect ${LDAP_HOST}:636 -servername ${LDAP_HOST} #SSL
+CONNECTED(00000003)
+depth=1 CN = Example Company CA
+verify return:1
+depth=0 O = Example Company, CN = example.com
+verify return:1
+...
+SSL handshake has read 2963 bytes and written 393 bytes
+Verification: OK
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 0 (ok)
+```
+The output of both of these commands should be similar. Also, both will show the openLDAP's server CN (example.com in this case). You can terminate the connection with Ctrl+C.
+
+3.A very important check is to make sure connections as users from the OpenLDAP's tree other than admin works: 
+```
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #StartTLS
+dn:uid=marisa,ou=People,dc=example,dc=com
+root@example:/# ldapwhoami -x -D "uid=marisa,ou=People,dc=example,dc=com" -w MarisaNewPass2025 -H ldap://127.0.0.1 #SSL
+dn:uid=marisa,ou=People,dc=example,dc=com 
 ```
-Both will show the connection to the openLDAP server showing the CN(dc=example,dc=com)
 
 To connect to the server via `STARTTLS`, use port 389, to connect to the server via `SSL`, use port 636, both auth method Simple. 
 If asked, accept the certificate as with any certificate, or copy the CA file that resides inside ldapdock from out of the container to our host system certificate trust directory (/usr/local/share/ca-certificates/ works for any Debian based distribution):
@@ -395,5 +434,9 @@ If asked, accept the certificate as with any certificate, or copy the CA file th
 > sudo update-ca-certificates
 ```
 In both cases, providing -h ${LDAP_HOST}, by default the login "user" and password are:\
-BIND DN=cn=admin,dc=example,dc=com\
+As admin:
+BIND DN="cn=admin,dc=example,dc=com"\
 BIND password=admin
+As marisa:
+BIND DN="uid=marisa,ou=People,dc=example,dc=com"\
+BIND password=MarisaNewPass2025

index.php.tls

@@ -1,55 +0,0 @@
-<?php
-$host = $_SERVER['HTTP_HOST'];   // works for example.com or any LDAP_HOST
-$msg = '';
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $uid = trim($_POST['uid'] ?? '');
-    $password = $_POST['password'] ?? '';
-
-    if ($uid && $password) {
-        // DIRECT LDAPS CONNECTION — NO STARTTLS NEEDED
-        $ldap = ldap_connect("ldaps://127.0.0.1:636");
-	// Allow self-signed cert for ldaps://
-	putenv('LDAPTLS_REQCERT=allow');
-        if (!$ldap) {
-            $msg = "<p style='color:red'>Cannot connect to LDAP server</p>";
-        } else {
-            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-            ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
-
-            $bind_dn = "uid=$uid,ou=People,dc=$host";
-            if (@ldap_bind($ldap, $bind_dn, $password)) {
-                $msg = "<p style='color:green;font-weight:bold'>Login successful! Welcome $uid 🎉</p>";
-            } else {
-                $msg = "<p style='color:red'>Invalid credentials</p>";
-            }
-            ldap_close($ldap);
-        }
-    } else {
-        $msg = "<p style='color:red'>uid=$uid,ou=People,dc=$host Please fill both fields</p>";
-    }
-}
-?>
-
-<!DOCTYPE html>
-<html>
-<head>
-    <title>ldapdock – LDAP login</title>
-    <style>
-        body { font-family: Arial, sans-serif; max-width: 400px; margin: 100px auto; text-align: center; }
-        input, button { padding: 10px; margin: 5px; width: 100%; font-size: 16px; }
-        button { background: #007cba; color: white; cursor: pointer; }
-    </style>
-</head>
-<body>
-    <h1>ldapdock login</h1>
-    <p>Server: <strong><?= htmlspecialchars($host) ?></strong></p>
-    <?= $msg ?>
-    <form method="post">
-        <input type="text" name="uid" placeholder="uid (e.g. marisa)" required autofocus><br>
-        <input type="password" name="password" placeholder="password" required><br>
-        <button type="submit">Login</button>
-    </form>
-    <hr>
-    <small>Test user: marisa / q*****</small>
-</body>
-</html>