From 8d9568dd5346533d265d6861c7a8ee24bb381f79 Mon Sep 17 00:00:00 2001
From: Jerry Cheung <jch@whatcodecraves.com>
Date: Fri, 21 Nov 2014 15:39:35 -0800
Subject: [PATCH 1/5] failing integration test for start_tls

---
 test/integration/test_bind.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb
index afadb4c8..c322f401 100644
--- a/test/integration/test_bind.rb
+++ b/test/integration/test_bind.rb
@@ -19,4 +19,9 @@ def test_bind_anonymous_fail
   def test_bind_fail
     refute @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "not my password"), @ldap.get_operation_result.inspect
   end
+
+  def test_bind_tls
+    @ldap.encryption(method: :start_tls, tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS)
+    assert @ldap.bind(method: :simple, username: "uid=user1,ou=People,dc=rubyldap,dc=com", password: "passworD1"), @ldap.get_operation_result.inspect
+  end
 end

From f6efcd3fa259eaf1d68eaaa9c253b44c44d384b2 Mon Sep 17 00:00:00 2001
From: Jerry Cheung <jch@whatcodecraves.com>
Date: Fri, 21 Nov 2014 15:27:15 -0800
Subject: [PATCH 2/5] configure openldap tls

---
 script/install-openldap | 59 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 58 insertions(+), 1 deletion(-)

diff --git a/script/install-openldap b/script/install-openldap
index 44ee0e31..c573df03 100755
--- a/script/install-openldap
+++ b/script/install-openldap
@@ -5,7 +5,7 @@ set -x
 BASE_PATH="$( cd `dirname $0`/../test/fixtures/openldap && pwd )"
 SEED_PATH="$( cd `dirname $0`/../test/fixtures          && pwd )"
 
-dpkg -s slapd time ldap-utils ||\
+dpkg -s slapd time ldap-utils gnutls-bin ssl-cert > /dev/null ||\
   DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils
 
 sudo /etc/init.d/slapd stop
@@ -45,3 +45,60 @@ sudo /etc/init.d/slapd start
              -f $SEED_PATH/seed.ldif
 
 sudo rm -rf $TMPDIR
+
+# SSL
+
+sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
+
+sudo sh -c "cat > /etc/ssl/ca.info <<EOF
+cn = rubyldap
+ca
+cert_signing_key
+EOF"
+
+# Create the self-signed CA certificate:
+sudo certtool --generate-self-signed \
+--load-privkey /etc/ssl/private/cakey.pem \
+--template /etc/ssl/ca.info \
+--outfile /etc/ssl/certs/cacert.pem
+
+# Make a private key for the server:
+sudo certtool --generate-privkey \
+--bits 1024 \
+--outfile /etc/ssl/private/ldap01_slapd_key.pem
+
+sudo sh -c "cat > /etc/ssl/ldap01.info <<EOF
+organization = Example Company
+cn = ldap01.example.com
+tls_www_server
+encryption_key
+signing_key
+expiration_days = 3650
+EOF"
+
+# Create the server certificate
+sudo certtool --generate-certificate \
+--load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
+--load-ca-certificate /etc/ssl/certs/cacert.pem \
+--load-ca-privkey /etc/ssl/private/cakey.pem \
+--template /etc/ssl/ldap01.info \
+--outfile /etc/ssl/certs/ldap01_slapd_cert.pem
+
+sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
+EOF
+
+sudo adduser openldap ssl-cert
+sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
+sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
+sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
+
+sudo service slapd restart

From b4f3ab715c7129c4e3fb478f708a93dc3282e09f Mon Sep 17 00:00:00 2001
From: Jerry Cheung <jch@whatcodecraves.com>
Date: Fri, 21 Nov 2014 15:29:05 -0800
Subject: [PATCH 3/5] support ldaps:///

---
 script/install-openldap | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/script/install-openldap b/script/install-openldap
index c573df03..1de8eace 100755
--- a/script/install-openldap
+++ b/script/install-openldap
@@ -96,6 +96,13 @@ add: olcTLSCertificateKeyFile
 olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
 EOF
 
+# LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter
+# refers to an existing LDAP session (listening on TCP port 389) becoming
+# protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct
+# encrypted-from-the-start protocol that operates over TCP port 636. But we
+# enable it for testing here.
+sudo sed -i -e 's|^SLAPD_SERVICES="\(.*\)"|SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"|' /etc/default/slapd
+
 sudo adduser openldap ssl-cert
 sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
 sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem

From cd9668a484bb0cb36aa975b4ce3ec9d2cd6b06e7 Mon Sep 17 00:00:00 2001
From: Jerry Cheung <jch@whatcodecraves.com>
Date: Fri, 21 Nov 2014 16:44:49 -0800
Subject: [PATCH 4/5] oops

---
 script/install-openldap | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/script/install-openldap b/script/install-openldap
index 1de8eace..c399dff0 100755
--- a/script/install-openldap
+++ b/script/install-openldap
@@ -6,7 +6,7 @@ BASE_PATH="$( cd `dirname $0`/../test/fixtures/openldap && pwd )"
 SEED_PATH="$( cd `dirname $0`/../test/fixtures          && pwd )"
 
 dpkg -s slapd time ldap-utils gnutls-bin ssl-cert > /dev/null ||\
-  DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils
+  DEBIAN_FRONTEND=noninteractive sudo -E apt-get install -y --force-yes slapd time ldap-utils gnutls-bin ssl-cert
 
 sudo /etc/init.d/slapd stop
 

From 9cf169e5b14b121f8e412fd47a72488d7572780e Mon Sep 17 00:00:00 2001
From: Jerry Cheung <jch@whatcodecraves.com>
Date: Mon, 24 Nov 2014 15:59:13 -0800
Subject: [PATCH 5/5] indent params cc @mtodd

---
 script/install-openldap | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/script/install-openldap b/script/install-openldap
index c399dff0..9547f0ff 100755
--- a/script/install-openldap
+++ b/script/install-openldap
@@ -78,11 +78,11 @@ EOF"
 
 # Create the server certificate
 sudo certtool --generate-certificate \
---load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
---load-ca-certificate /etc/ssl/certs/cacert.pem \
---load-ca-privkey /etc/ssl/private/cakey.pem \
---template /etc/ssl/ldap01.info \
---outfile /etc/ssl/certs/ldap01_slapd_cert.pem
+  --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
+  --load-ca-certificate /etc/ssl/certs/cacert.pem \
+  --load-ca-privkey /etc/ssl/private/cakey.pem \
+  --template /etc/ssl/ldap01.info \
+  --outfile /etc/ssl/certs/ldap01_slapd_cert.pem
 
 sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true
 dn: cn=config