This script will setup the machine for OD SSL Support, and change the DS OD Binding script to bind via SSL.
You will need to replace SERVERNAMEHERE with your web server, where your CA Certificate is located. In our case, the XServer has a real, signed, wildcard cert (*.domain.com), however we just need to add the CA-Bundle.crt file to each client, which then verifies our cert.
For Self-Signed certs, just use the CA Self Cert that you created. You will just have to put that cert up on the web somewhere to be able to download it.
Note: For us, this is no longer needed with 10.6, as it works by default with our cert.
If you would like the script that makes the ca-bundle.crt, we use Curl's mk-ca-bundle.pl which then generates the ca-bundle.crt, that I then move to the web directory. I've been thinking about automating this, but haven't needed to just yet, as our, or our signer's certs haven't expired yet.
#!/bin/sh
echo "od_ssl_cert.sh - v0.1 ("`date`")"
# Get Volume
VOLUME=`mount | grep hfs | grep disk0 | cut -c 17- | cut -d " " -f1`
cd /tmp
if [ ! -e ${VOLUME}/etc/openldap/ca-bundle.crt ]; then
    echo "   ---CA Cert Bundle not found---"
    echo "   ---Downloading ca-bundle.crt from SERVERNAMEHERE---"
    perl -e "use LWP::UserAgent; my \$ua = new LWP::UserAgent; my \$req = new HTTP::Request('GET','http://SERVERNAMEHERE/ca-bundle.crt');
my \$res = \$ua->request(\$req); open(TXT,'>ca-bundle.crt'); print TXT \$res->content; close(TXT);"
    if [ -e ca-bundle.crt ]; then
        mv ca-bundle.crt ${VOLUME}/etc/openldap/ca-bundle.crt
    else
        echo "RuntimeAbortWorkflow: Error downloading ca-bundle."
    fi
fi
if [ -e ${VOLUME}/etc/openldap/ca-bundle.crt ]; then
    echo "   ---CA Cert Bundle Found. Checking to see if we need to modify ldap.conf---"
    if [ -n "`grep ${VOLUME}/etc/openldap/ldap.conf -e ^TLS_CACERT*`" ]; then
        echo "      ---ldap.conf already modified. No need to do anything---"
    else
        echo "      ---ldap.conf needs to be modified---"
        echo "         ---Inserting commands into /etc/openldap/ldap.conf to use the bundle"
        echo "TLS_CACERT    /etc/openldap/ca-bundle.crt" >> ${VOLUME}/etc/openldap/ldap.conf
        echo "   ---Done Setting up LDAP for Open Directory SSL Support---"
    fi
else
        echo "RuntimeAbortWorkflow: Cannot find the CA Cert Bundle, not modifying ldap.conf"
fi
 
if [ -e ${VOLUME}/usr/local/bin/ds_open_directory_binding.sh ]; then
    echo "   ---Configureing the DS OD Binding script for SSL Support---"
    DSODB="${VOLUME}/usr/local/bin"
    sed -e s/"dsconfigldap -f -a"/"dsconfigldap -x -f -a"/g -e s/"dsconfigldap -a"/"dsconfigldap -x -a"/g ${DSODB}/ds_open_directory_binding.sh > ${DSODB}/binding.sh
    mv ${DSODB}/binding.sh ${DSODB}/ds_open_directory_binding.sh
    chmod a+x ${DSODB}/ds_open_directory_binding.sh
    if [ ! -e ${DSODB}/ds_open_directory_binding.sh ]; then
        echo "RuntimeAbortWorkflow: Modifying DS OD Binding Script Failed."
    else
        echo "   ---Done configuring the OD Binding Script---"
    fi
else
    echo "   ---DS OD Binding Script not found, Nothing to Modify---"
fi
 
echo "od_ssl_cert.sh - end"
exit 0