h1. LDAP

Cette page décrit l'installation du serveur LDAP de Tetaneutral.net

On utilise 389 ds: https://directory.fedoraproject.org/index.html + cockpit

XXX A compléter

h2. Certificats 

Installation de nginx + certbot-nginx

Script pour convertir le certificat Let's Encrypt aux formats utilisés par Cockpit et 389DS: @/root/update-letsencrypt.sh@

<pre>

#! /bin/bash

# update the 389ds certificates from Let's encrypt

# Source : http://delatbabel.blogspot.com/2017/03/lets-encrypt-ssl-recipes-389-directory.html

TMPDIR=$(mktemp -d /root/keys-XXXXXXXXXX)

SITE=ldap.tetaneutral.net

LDAPINSTANCE=ldap

trap 'rm -rf $TMPDIR' 0

#

# Make the temporary directory to store the PKCS12 file

#

mkdir -p $TMPDIR

chmod 700 $TMPDIR

#

# Make the PKCS12 file from the letsencrypt PEM files

#

rm -f $TMPDIR/$SITE.p12

openssl pkcs12 -export -in /etc/letsencrypt/live/$SITE/cert.pem \

        -inkey /etc/letsencrypt/live/$SITE/privkey.pem \

        -nodes -passout pass: -name Server-Cert -out $TMPDIR/$SITE.p12

# Prepare the password files

cut -d: -f2  < /etc/dirsrv/slapd-ldap/pin.txt > $TMPDIR/nss-pass.txt

echo "" > $TMPDIR/p12-pass.txt

#

# Import the CA certs separately with standard certificate nicknames

#

certutil -f $TMPDIR/nss-pass.txt -A -d /etc/dirsrv/slapd-$LDAPINSTANCE/ -n "ca_cert" -t "CT,," -i /etc/letsencrypt/live/$SITE/chain.pem

#

# Import the PKCS12 file into 389DS

#

pk12util -d /etc/dirsrv/slapd-$LDAPINSTANCE -i $TMPDIR/$SITE.p12 -k $TMPDIR/nss-pass.txt -w $TMPDIR/p12-pass.txt

# Restart dirsrv

systemctl restart dirsrv@$LDAPINSTANCE

#

# Recreate the Cockpit SSL certificate

#

cat /etc/letsencrypt/live/$SITE/fullchain.pem /etc/letsencrypt/live/$SITE/privkey.pem > /etc/cockpit/ws-certs.d/1-my-cert.cert

# Restart Cockpit

systemctl restart cockpit.socket

exit 0

</pre>

Installation comme hook lors du renouvellement. Ajout  dans @/etc/letsencrypt/renewal/ldap.tetaneutral.net.conf@ :

<pre>

post_hook = /root/update-letsencrypt.sh

</pre>