This document describes the setup of LDAP authentication to Active Directory using SSL.
Apache needs following settings to work with LDAPS authentication. You must edit /etc/openldap/ldap.conf file to enable SSL and TLS:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldaps://vaps014.example.com:636 ldap://vaps014.example.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS setup: ssl on TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_REQCERT allow TLS_CACERTDIR /etc/ssl/certs HOST vaps014.example.com
Note: The TLS_CACERTDIR /etc/ssl/certs configuration enables all CA certs, which are configured in your openssl package. If your public certificate is not installed by default you need to add it in /etc/ssl/certs directory! Just follow the step described in this chapter: CA certifcates.
You must create a configuration file in /etc/apache2/conf.d/ldaps.conf to configure LDAPS depend settings:
LDAPVerifyServerCert On LDAPTrustedMode SSL <Location /ldap-status> SetHandler ldap-status Require host 172.16.193.61 localhost Include /etc/apache2/custom.d/authint_ap.conf </Location>
This is not the preferred way to configure SSL in LDAP, but you don't need to change anything in case of certification change on LDAP server (AD).
Just create a configuration file (/etc/apache2/conf.d/ldaps.conf) and put following content into it:
LDAPVerifyServerCert Off LDAPTrustedMode SSL <Location /ldap-status> SetHandler ldap-status Require host 172.16.193.61 localhost Include /etc/apache2/custom.d/authint_ap.conf </Location>
In this configuration, no additional setup is required. The connection works without any pain.
Of course, you should change your LDAP url in each LDAP authentication directive to ldaps://xxx.
Get the certificate from official certification reseller and put it into /etc/ssl/cert folder. You must hash link the new file for SSL, just use this make-ca-symlinks.sh script to do it:
/opt/jobs/make-ca-symlinks.sh --dir /etc/ssl/certs
This generate for all not symlinked certifications the hash link.
First, you must get the certificate using this small script from LDAP server:
#!/bin/sh # # usage: get-ssl-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
An example for ad.example.com on port 636:
get-ssl-cert.sh ad.example.com 636
Now, you must configure (add the certificat in) openldap to use this certification chain file. Just add this line into/etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/ssl/cacert.pem
You can list the certifates inside the cacert.pem file using this script:
/opt/jobs/read-all-certs-in-chain.pl -f cacert.pem ==> Certificate #1: subject= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com issuer= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com ==> Certificate #2: subject= /CN=sdcs001.example.com issuer= /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
Note: Openldap on SLES 11 does not examin the /etc/ssl/certs directory, for official certificates!