apache_ldap

Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

Apache LDAP authenticiation

This document describes the setup of LDAP authentication to Active Directory using SSL.

Apache configuration

Prefered possiblilty

Apache needs following settings to work with LDAPS authentication. You must edit /etc/openldap/ldap.conf file to enable SSL and TLS: 

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldaps://vaps014.example.com:636 ldap://vaps014.example.com

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF      never

# TLS setup:
ssl on
TLS_CACERT  /etc/openldap/ssl/cacert.pem
TLS_REQCERT allow
TLS_CACERTDIR   /etc/ssl/certs

HOST    vaps014.example.com

Note: The TLS_CACERTDIR /etc/ssl/certs configuration enables all CA certs, which are configured in your openssl package. If your public certificate is not installed by default you need to add it in /etc/ssl/certs directory! Just follow the step described in this chapter: CA certifcates.

You must create a configuration file in /etc/apache2/conf.d/ldaps.conf to configure LDAPS depend settings: 

LDAPVerifyServerCert On
LDAPTrustedMode SSL
<Location /ldap-status>
    SetHandler ldap-status
    Require host 172.16.193.61 localhost
    Include /etc/apache2/custom.d/authint_ap.conf
</Location>

Ugly possibility

This is not the preferred way to configure SSL in LDAP, but you don't need to change anything in case of certification change on LDAP server (AD).

Just create a configuration file (/etc/apache2/conf.d/ldaps.conf) and put following content into it: 

LDAPVerifyServerCert Off
LDAPTrustedMode SSL
<Location /ldap-status>
    SetHandler ldap-status
    Require host 172.16.193.61 localhost
    Include /etc/apache2/custom.d/authint_ap.conf
</Location>

In this configuration, no additional setup is required. The connection works without any pain.

LDAP url configuration

Of course, you should change your LDAP url in each LDAP authentication directive to ldaps://xxx.

CA certificates

Official certificate

Get the certificate from official certification reseller and put it into /etc/ssl/cert folder. You must hash link the new file for SSL, just use this make-ca-symlinks.sh script to do it: 

/opt/jobs/make-ca-symlinks.sh --dir /etc/ssl/certs

This generate for all not symlinked certifications the hash link.

Private certificate

First, you must get the certificate using this small script from LDAP server: 

#!/bin/sh
#
# usage: get-ssl-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}

openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

An example for ad.example.com on port 636: 

/opt/jobs/get-ssl-cert.sh ad.example.com 636

You can get it here.

Now, you must configure (add the certificat in) openldap to use this certification chain file. Just add this line into/etc/openldap/ldap.conf: 

TLS_CACERT  /etc/openldap/ssl/cacert.pem

You can list the certifates inside the cacert.pem file using this script: 

/opt/jobs/read-all-certs-in-chain.pl -f cacert.pem

==> Certificate #1:
subject= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com
issuer= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com
==> Certificate #2:
subject= /CN=sdcs001.example.com
issuer= /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22

Note: Openldap on SLES 11 does not examin the /etc/ssl/certs directory, for official certificates!

  • apache_ldap.1549558326.txt.gz
  • Last modified: 2019/02/07 17:52
  • by admin