Skip to content

Commit

Permalink
Update LDAP TLS procedure (#3503)
Browse files Browse the repository at this point in the history
(cherry picked from commit 0c0dc4a)
  • Loading branch information
asteflova authored and maximiliankolb committed Dec 9, 2024
1 parent bdd1d87 commit 75dde80
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 23 deletions.
2 changes: 0 additions & 2 deletions guides/common/modules/con_using-ldap.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@
{Project} supports LDAP authentication using one or multiple LDAP directories.
Your LDAP server must comply with the link:https://datatracker.ietf.org/doc/html/rfc2307[RFC 2307] schema.

If you require {ProjectName} to use `TLS` to establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your {ProjectServer} as described below.
If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained.
If you do not require secure LDAP at this time, proceed to xref:Configuring_Project_to_Use_LDAP_{context}[].

[IMPORTANT]
Expand Down
34 changes: 13 additions & 21 deletions guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc
Original file line number Diff line number Diff line change
@@ -1,39 +1,31 @@
[id="Configuring_TLS_for_Secure_LDAP_{context}"]
= Configuring TLS for secure LDAP

Use the {Project} CLI to configure TLS for secure LDAP (LDAPS).
If {Project} uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your {ProjectServer}.

If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list.

.Procedure
. Obtain the Certificate from the LDAP Server.
.. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base-64 encoded X.509 format.
. Obtain the CA certificate from the LDAP Server:
.. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format.
ifndef::orcharhino[]
See https://access.redhat.com/solutions/1498773[How to configure Active Directory authentication with `TLS` on {Project}] for information on creating and exporting a CA certificate from an Active Directory server.
endif::[]
.. Download the LDAP server certificate to a temporary location onto {ProjectServer} and remove it when finished.
.. Download the LDAP server certificate to a temporary location on the {ProjectServer}, such as `/tmp/_example.crt_`.
You will remove the certificate when finished.
+
For example, `/tmp/example.crt`.
The filename extensions `.cer` and `.crt` are only conventions and can refer to DER binary or PEM ASCII format certificates.
. Trust the Certificate from the LDAP Server.
+
{ProjectServer} requires the CA certificates for LDAP authentication to be individual files in `/etc/pki/tls/certs/` directory.

.. Use the `install` command to install the imported certificate into the `/etc/pki/tls/certs/` directory with the correct permissions:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# install /tmp/_example.crt_ /etc/pki/tls/certs/
----
.. Enter the following command as `root` to trust the _example.crt_ certificate obtained from the LDAP server:
. Add the LDAP server certificate to the system truststore:
.. Import the certificate:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# ln -s _example.crt_ /etc/pki/tls/certs/$(openssl \
x509 -noout -hash -in \
/etc/pki/tls/certs/_example.crt_).0
# cp /tmp/_example.crt_ /etc/pki/tls/source/anchors
----
.. Restart the `httpd` service:
.. Update the certificate authority truststore:
+
[options="nowrap", subs="+quotes,verbatim,attributes"]
----
# systemctl restart httpd
# update-ca-trust extract
----
. Delete the downloaded LDAP certificate from the temporary location on your {ProjectServer}.

0 comments on commit 75dde80

Please sign in to comment.