74f5eaf47e
When connecting to an LDAP server, there are three ways to connect: 1. Insecurely through port 389 (LDAP). 2. Securely through port 696 (LDAPS). 3. Insecurely through port 389 then negotiate TLS (StartTLS). This PR adds support for the 3rd flow, letting dex connect to the standard LDAP port then negotiating TLS through the LDAP protocol itself. See a writeup here: http://www.openldap.org/faq/data/cache/185.html
50 lines
959 B
Bash
Executable File
50 lines
959 B
Bash
Executable File
#!/bin/bash -e
|
|
|
|
# Stolen from the coreos/matchbox repo.
|
|
|
|
echo "
|
|
[req]
|
|
req_extensions = v3_req
|
|
distinguished_name = req_distinguished_name
|
|
|
|
[req_distinguished_name]
|
|
|
|
[ v3_req ]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.101 = localhost
|
|
" > openssl.config
|
|
|
|
openssl genrsa -out testdata/ca.key 2048
|
|
openssl genrsa -out testdata/server.key 2048
|
|
|
|
openssl req \
|
|
-x509 -new -nodes \
|
|
-key testdata/ca.key \
|
|
-days 10000 -out testdata/ca.crt \
|
|
-subj "/CN=ldap-tests"
|
|
|
|
openssl req \
|
|
-new \
|
|
-key testdata/server.key \
|
|
-out testdata/server.csr \
|
|
-subj "/CN=localhost" \
|
|
-config openssl.config
|
|
|
|
openssl x509 -req \
|
|
-in testdata/server.csr \
|
|
-CA testdata/ca.crt \
|
|
-CAkey testdata/ca.key \
|
|
-CAcreateserial \
|
|
-out testdata/server.crt \
|
|
-days 10000 \
|
|
-extensions v3_req \
|
|
-extfile openssl.config
|
|
|
|
rm testdata/server.csr
|
|
rm testdata/ca.srl
|
|
rm openssl.config
|