Improve readme for TLS connect & public CA certificates #106
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
I improved the README.md to have PLA works with a openldap with enforced TLS, but with a public certificate configured (like LetEncrypt)
This doesn't really fix #74, but at least it explains a way to make it work in the readme.
There was two pain points at least :
StartTLS vs TLS
the tls example in the README.md uses
{'tls': True, 'port': 636}. This makes actually connect PLA on port 636, but using the StartTLS method.=> to fix that, without pathing LPA, the only way I found is using full uri
ldaps://ldap.example.org. I think such an example should be added in the README.md, and it should make it clearer that StartTLS is used on 'tls': true (bad API design in PLA IMHO)CA certificates bundle
It would make sense for me to use
PHPLDAPADMIN_LDAP_CLIENT_TLS=false, but I found in that case/etc/ldap/ldap.confpoints to a non-existing file, and there is no way to use TLS then, as it's not possible to configure the CA certificate (aTLS_CACERTconfig is required inldap.conf).I found that just overriding the ca certs with volume works, so I added a section.