Show pageOld revisionsBacklinksAdd to bookExport to MarkdownBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Apache LDAP authenticiation ====== This document describes the setup of LDAP authentication to Active Directory using SSL. ===== Apache configuration ===== ==== Prefered possiblilty ==== Apache needs following settings to work with LDAPS authentication. You must edit ''%%/etc/openldap/ldap.conf%%'' file to enable SSL and TLS: <code bash> # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldaps://vaps014.example.com:636 ldap://vaps014.example.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS setup: ssl on TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_REQCERT allow TLS_CACERTDIR /etc/ssl/certs HOST vaps014.example.com </code> **Note:** The ''%%TLS_CACERTDIR /etc/ssl/certs%%'' configuration enables all CA certs, which are configured in your openssl package. If your public certificate is not installed by default you need to add it in /etc/ssl/certs directory! Just follow the step described in this chapter: [[#CA_certificates|CA certifcates]]. You must create a configuration file in ''%%/etc/apache2/conf.d/ldaps.conf%%'' to configure LDAPS depend settings: <code bash> LDAPVerifyServerCert On LDAPTrustedMode SSL <Location /ldap-status> SetHandler ldap-status Require host 172.16.193.61 localhost Include /etc/apache2/custom.d/authint_ap.conf </Location> </code> ==== Ugly possibility ==== This is not the preferred way to configure SSL in LDAP, but you don't need to change anything in case of certification change on LDAP server (AD). Just create a configuration file (''%%/etc/apache2/conf.d/ldaps.conf%%'') and put following content into it: <code bash> LDAPVerifyServerCert Off LDAPTrustedMode SSL <Location /ldap-status> SetHandler ldap-status Require host 172.16.193.61 localhost Include /etc/apache2/custom.d/authint_ap.conf </Location> </code> In this configuration, no additional setup is required. The connection works without any pain. ==== LDAP url configuration ==== Of course, you should change your LDAP url in each LDAP authentication directive to ''%%ldaps://xxx%%''. ===== CA certificates ===== ===== Official certificate ===== Get the certificate from official certification reseller and put it into /etc/ssl/cert folder. You must hash link the new file for SSL, just use this [[https://intranet.example.com/svn/TrivadisIT/Scripting/trunk/ssl/make-ca-symlinks.sh|make-ca-symlinks.sh script]] to do it: <code bash> /opt/jobs/make-ca-symlinks.sh --dir /etc/ssl/certs </code> This generate for all not symlinked certifications the hash link. ===== Private certificate ===== First, you must get the certificate using this small script from LDAP server: <code bash> #!/bin/sh # # usage: get-ssl-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' </code> An example for ad.example.com on port 636: <code bash> get-ssl-cert.sh ad.example.com 636 </code> Now, you must configure (add the certificat in) openldap to use this certification chain file. Just add this line into''%%/etc/openldap/ldap.conf%%'': <code> TLS_CACERT /etc/openldap/ssl/cacert.pem </code> You can list the certifates inside the ''%%cacert.pem%%'' file using [[https://intranet.example.com/svn/TrivadisIT/Scripting/trunk/ssl/read-all-certs-in-chain.pl|this]] script: <code> /opt/jobs/read-all-certs-in-chain.pl -f cacert.pem ==> Certificate #1: subject= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com issuer= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com ==> Certificate #2: subject= /CN=sdcs001.example.com issuer= /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22 </code> **Note:** Openldap on SLES 11 does not examin the ''%%/etc/ssl/certs%%'' directory, for official certificates! apache_ldap.txt Last modified: 2019/02/07 17:55by admin