Hash certificate directory for ldap trust
When you work with openldap clients on GNU/Linux, you might have to interact with Active Directory. And you want to secure your connection with ssl. When you want to tell ldap to trust the ssl certificates, it might take you a while to get it to actually trust it. You have to fetch the root ca certificate, and do one of several things to it:
- Save to a file, and update /etc/openldap/ldap.conf variable TLS_CACERT
- Save to the nssdb using certutil
- Save to a file in a directory with the right name (from openssl x509 -hash -noout -in FILENAME) and set variable TLS_CACERTDIR
Or you could set "TLS_REQCERT allow" in the conf, but you decided that you actually want the trust to work, for once. I've written a script that takes all the files in /etc/pki/ca-trust/source/anchors/ and makes symlinks to them with the right filenames in /etc/openldap/cacerts/ directory. Then you can just set "TLS_CACERTDIR /etc/openldap/cacerts" and be done. https://gist.github.com/bgstack15/46ed24a4c05440f8b4f7c4a6ff16c7ad
Comments