Problem:
How can we configure LDAPS authentication with the OverOps backend server using a self-signed certificate or a certificate that may not reside on the server where the backend is running?
Environment:
Any OverOps Backend Server
Any supported distros of Linux
Solution:
Provide valid CA certificate to the same server where the backend is running and use the appropriate OS instructions to install it.
Linux (Ubuntu, Debian)
- Copy your CA to
dir /usr/local/share/ca-certificates/- Use command:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt- Update the CA store:
sudo update-ca-certificatesLinux (CentOs 6)
- Install the ca-certificates package:
yum install ca-certificates- Enable the dynamic CA configuration feature:
update-ca-trust force-enable- Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp foo.crt /etc/pki/ca-trust/source/anchors/- Use command:
update-ca-trust extractLinux (CentOs 5)
Append your trusted certificate to file /etc/pki/tls/certs/ca-bundle.crt
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
Install the certificate onto the server. As an example, in Ubuntu, certificate can be installed by using the following commands:
cp /path/to/.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Using the above command will install the certificate in the location /etc/ssl/certs/ca-certificates.crt , in which this directory will have a long list of trusted CA certificates.
In order to validate connection, one can use the openssl command to try to connect to the LDAP server via ldaps using the CA certificates located inside /etc/ssl/cacerts/ .
openssl s_client -connect foo.whatever.com:443 -CApath /etc/ssl/certs
If one gets a 200 OK, use the ldapsearch tool to query against the LDAP server though port 636 (ldaps://)
ldapsearch -x -D “cn=binduser,dc=company,dc=com” -W -H ldaps://<server_address> -b “dc=company,dc=com” -s sub ‘cn=test.user’