-
Notifications
You must be signed in to change notification settings - Fork 95
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
2 changed files
with
13 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 13 additions & 21 deletions
34
guides/common/modules/proc_configuring-tls-for-secure-ldap.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,31 @@ | ||
[id="Configuring_TLS_for_Secure_LDAP_{context}"] | ||
= Configuring TLS for secure LDAP | ||
|
||
Use the {Project} CLI to configure TLS for secure LDAP (LDAPS). | ||
If {Project} uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your {ProjectServer}. | ||
|
||
If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list. | ||
|
||
.Procedure | ||
. Obtain the Certificate from the LDAP Server. | ||
.. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base-64 encoded X.509 format. | ||
. Obtain the CA certificate from the LDAP Server: | ||
.. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format. | ||
ifndef::orcharhino[] | ||
See https://access.redhat.com/solutions/1498773[How to configure Active Directory authentication with `TLS` on {Project}] for information on creating and exporting a CA certificate from an Active Directory server. | ||
endif::[] | ||
.. Download the LDAP server certificate to a temporary location onto {ProjectServer} and remove it when finished. | ||
.. Download the LDAP server certificate to a temporary location on the {ProjectServer}, such as `/tmp/_example.crt_`. | ||
You will remove the certificate when finished. | ||
+ | ||
For example, `/tmp/example.crt`. | ||
The filename extensions `.cer` and `.crt` are only conventions and can refer to DER binary or PEM ASCII format certificates. | ||
. Trust the Certificate from the LDAP Server. | ||
+ | ||
{ProjectServer} requires the CA certificates for LDAP authentication to be individual files in `/etc/pki/tls/certs/` directory. | ||
|
||
.. Use the `install` command to install the imported certificate into the `/etc/pki/tls/certs/` directory with the correct permissions: | ||
+ | ||
[options="nowrap", subs="+quotes,verbatim,attributes"] | ||
---- | ||
# install /tmp/_example.crt_ /etc/pki/tls/certs/ | ||
---- | ||
.. Enter the following command as `root` to trust the _example.crt_ certificate obtained from the LDAP server: | ||
. Add the LDAP server certificate to the system truststore: | ||
.. Import the certificate: | ||
+ | ||
[options="nowrap", subs="+quotes,verbatim,attributes"] | ||
---- | ||
# ln -s _example.crt_ /etc/pki/tls/certs/$(openssl \ | ||
x509 -noout -hash -in \ | ||
/etc/pki/tls/certs/_example.crt_).0 | ||
# cp /tmp/_example.crt_ /etc/pki/tls/source/anchors | ||
---- | ||
.. Restart the `httpd` service: | ||
.. Update the certificate authority truststore: | ||
+ | ||
[options="nowrap", subs="+quotes,verbatim,attributes"] | ||
---- | ||
# systemctl restart httpd | ||
# update-ca-trust extract | ||
---- | ||
. Delete the downloaded LDAP certificate from the temporary location on your {ProjectServer}. |