# LDAPS with custom CA

# Preamble

The EE server and client support the LDAP protocol that allows you to configure an external LDAP service for authentication. This guide here will explain how to configure Psono server to accept a custom CA signed certificate with ldaps

We assume that your LDAP server is accessible under ldaps://someIPA.domain.local:636 with ldaps using a custom CA. We further assume that you have your ca.crt file located in /path/to/ca.crt, containing the root CA crt and maybe intermediate certificates.

TIP

This feature is only available in the Enterprise Edition.

# Server (settings.yaml)

During the installation of the server you have created a settings.yaml that needs to be adjusted now.

Adjust the setting.yml as shown below
```
LDAP : [
  {
    ...
    'LDAP_URL': 'ldaps://someIPA.domain.local:636',
    'LDAP_CA_CERT_FILE': '/root/.psono_server/ca.crt',
  },
]
```
- Make sure that the "authority" of the configured LDAP_URL (in the example above someIPA.domain.local:636) is part of the domains listed in the certificate that is presented by the server.
- The LDAP_CA_CERT_FILE path is the path within the docker container. It needs to match the mount point in the section below. Leave it as it is if you are not sure.

Test your integration

To test the settings you can use the testldap command like shown below

docker run --rm \
  -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
  -v /path/to/ca.crt:/root/.psono_server/ca.crt \
  -ti psono/psono-combo-enterprise:latest python3 ./psono/manage.py testldap username@something.com thePassWord

TIP

Once you have a working configuration don't forget to restart the server.

# Start server

Adjust server start command

Normally you would start the server with this command:

docker run --name psono-combo-enterprise \
    --sysctl net.core.somaxconn=65535 \
    -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/config.json \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/portal/config.json \
    -v /path/to/log/folder:/var/log/psono \
    -d --restart=unless-stopped -p 10200:80 psono/psono-combo-enterprise:latest

You have to mount your ca.crt with this parameter:

-v /opt/psono/ca.crt:/root/.psono_server/ca.crt

So it would look like this:

docker run --name psono-combo-enterprise \
    --sysctl net.core.somaxconn=65535 \
    -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/config.json \
    -v /opt/docker/psono-client/config.json:/usr/share/nginx/html/portal/config.json \
    -v /opt/psono/ca.crt:/root/.psono_server/ca.crt \
    -v /path/to/log/folder:/var/log/psono \
    -d --restart=unless-stopped -p 10200:80 psono/psono-combo-enterprise:latest

Adjust /path/to/ca.crt to match your path.

← LDAP - OpenLDAP LDAP Group Mapping →