====== Apache LDAP authenticiation ======
This document describes the setup of LDAP authentication to Active Directory using SSL.
===== Apache configuration =====
==== Prefered possiblilty ====
Apache needs following settings to work with LDAPS authentication. You must edit ''%%/etc/openldap/ldap.conf%%'' file to enable SSL and TLS:
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldaps://vaps014.example.com:636 ldap://vaps014.example.com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS setup:
ssl on
TLS_CACERT /etc/openldap/ssl/cacert.pem
TLS_REQCERT allow
TLS_CACERTDIR /etc/ssl/certs
HOST vaps014.example.com
**Note:** The ''%%TLS_CACERTDIR /etc/ssl/certs%%'' configuration enables all CA certs, which are configured in your openssl package. If your public certificate is not installed by default you need to add it in /etc/ssl/certs directory! Just follow the step described in this chapter: [[#CA_certificates|CA certifcates]].
You must create a configuration file in ''%%/etc/apache2/conf.d/ldaps.conf%%'' to configure LDAPS depend settings:
LDAPVerifyServerCert On
LDAPTrustedMode SSL
SetHandler ldap-status
Require host 172.16.193.61 localhost
Include /etc/apache2/custom.d/authint_ap.conf
==== Ugly possibility ====
This is not the preferred way to configure SSL in LDAP, but you don't need to change anything in case of certification change on LDAP server (AD).
Just create a configuration file (''%%/etc/apache2/conf.d/ldaps.conf%%'') and put following content into it:
LDAPVerifyServerCert Off
LDAPTrustedMode SSL
SetHandler ldap-status
Require host 172.16.193.61 localhost
Include /etc/apache2/custom.d/authint_ap.conf
In this configuration, no additional setup is required. The connection works without any pain.
==== LDAP url configuration ====
Of course, you should change your LDAP url in each LDAP authentication directive to ''%%ldaps://xxx%%''.
===== CA certificates =====
===== Official certificate =====
Get the certificate from official certification reseller and put it into /etc/ssl/cert folder. You must hash link the new file for SSL, just use this [[https://intranet.example.com/svn/TrivadisIT/Scripting/trunk/ssl/make-ca-symlinks.sh|make-ca-symlinks.sh script]] to do it:
/opt/jobs/make-ca-symlinks.sh --dir /etc/ssl/certs
This generate for all not symlinked certifications the hash link.
===== Private certificate =====
First, you must get the certificate using this small script from LDAP server:
#!/bin/sh
#
# usage: get-ssl-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
An example for ad.example.com on port 636:
get-ssl-cert.sh ad.example.com 636
Now, you must configure (add the certificat in) openldap to use this certification chain file. Just add this line into''%%/etc/openldap/ldap.conf%%'':
TLS_CACERT /etc/openldap/ssl/cacert.pem
You can list the certifates inside the ''%%cacert.pem%%'' file using [[https://intranet.example.com/svn/TrivadisIT/Scripting/trunk/ssl/read-all-certs-in-chain.pl|this]] script:
/opt/jobs/read-all-certs-in-chain.pl -f cacert.pem
==> Certificate #1:
subject= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com
issuer= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com
==> Certificate #2:
subject= /CN=sdcs001.example.com
issuer= /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
**Note:** Openldap on SLES 11 does not examin the ''%%/etc/ssl/certs%%'' directory, for official certificates!