This repository has been archived on 2023-08-14. You can view files and clone it, but cannot push or open issues or pull requests.
dex/connector/ldap/gen-certs.sh
Eric Chiang 74f5eaf47e connector/ldap: support the StartTLS flow for secure connections
When connecting to an LDAP server, there are three ways to connect:

1. Insecurely through port 389 (LDAP).
2. Securely through port 696 (LDAPS).
3. Insecurely through port 389 then negotiate TLS (StartTLS).

This PR adds support for the 3rd flow, letting dex connect to the
standard LDAP port then negotiating TLS through the LDAP protocol
itself.

See a writeup here:

http://www.openldap.org/faq/data/cache/185.html
2017-04-12 15:25:42 -07:00

50 lines
959 B
Bash
Executable File

#!/bin/bash -e
# Stolen from the coreos/matchbox repo.
echo "
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.101 = localhost
" > openssl.config
openssl genrsa -out testdata/ca.key 2048
openssl genrsa -out testdata/server.key 2048
openssl req \
-x509 -new -nodes \
-key testdata/ca.key \
-days 10000 -out testdata/ca.crt \
-subj "/CN=ldap-tests"
openssl req \
-new \
-key testdata/server.key \
-out testdata/server.csr \
-subj "/CN=localhost" \
-config openssl.config
openssl x509 -req \
-in testdata/server.csr \
-CA testdata/ca.crt \
-CAkey testdata/ca.key \
-CAcreateserial \
-out testdata/server.crt \
-days 10000 \
-extensions v3_req \
-extfile openssl.config
rm testdata/server.csr
rm testdata/ca.srl
rm openssl.config