This is an old revision of the document!
Apache LDAP authenticiation
This document describes the setup of LDAP authentication to Active Directory using SSL.
Apache configuration
Prefered possiblilty
Apache needs following settings to work with LDAPS authentication. You must edit /etc/openldap/ldap.conf file to enable SSL and TLS:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldaps://vaps014.example.com:636 ldap://vaps014.example.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS setup: ssl on TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_REQCERT allow TLS_CACERTDIR /etc/ssl/certs HOST vaps014.example.com
Note: The TLS_CACERTDIR /etc/ssl/certs configuration enables all CA certs, which are configured in your openssl package. If your public certificate is not installed by default you need to add it in /etc/ssl/certs directory! Just follow the step described in this chapter: CA certifcates.
You must create a configuration file in /etc/apache2/conf.d/ldaps.conf to configure LDAPS depend settings:
LDAPVerifyServerCert On
LDAPTrustedMode SSL
<Location /ldap-status>
SetHandler ldap-status
Require host 172.16.193.61 localhost
Include /etc/apache2/custom.d/authint_ap.conf
</Location>
Ugly possibility
This is not the preferred way to configure SSL in LDAP, but you don't need to change anything in case of certification change on LDAP server (AD).
Just create a configuration file (/etc/apache2/conf.d/ldaps.conf) and put following content into it:
LDAPVerifyServerCert Off LDAPTrustedMode SSL <Location /ldap-status> SetHandler ldap-status Require host 172.16.193.61 localhost Include /etc/apache2/custom.d/authint_ap.conf </Location>
In this configuration, no additional setup is required. The connection works without any pain.
LDAP url configuration
Of course, you should change your LDAP url in each LDAP authentication directive to ldaps://xxx.
CA certificates
Official certificate
Get the certificate from official certification reseller and put it into /etc/ssl/cert folder. You must hash link the new file for SSL, just use this make-ca-symlinks.sh script to do it:
/opt/jobs/make-ca-symlinks.sh --dir /etc/ssl/certs
This generate for all not symlinked certifications the hash link.
Private certificate
First, you must get the certificate using this small script from LDAP server:
#!/bin/sh # # usage: get-ssl-cert.sh remote.host.name [port] # REMHOST=$1 REMPORT=${2:-443} openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
An example for ad.example.com on port 636:
get-ssl-cert.sh ad.example.com 636
Now, you must configure (add the certificat in) openldap to use this certification chain file. Just add this line into/etc/openldap/ldap.conf:
TLS_CACERT /etc/openldap/ssl/cacert.pem
You can list the certifates inside the cacert.pem file using this script:
/opt/jobs/read-all-certs-in-chain.pl -f cacert.pem ==> Certificate #1: subject= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com issuer= /C=CH/ST=Zurich/O=Trivadis AG/OU=IT/CN=vaps014.example.com/emailAddress=servicedesk@example.com ==> Certificate #2: subject= /CN=sdcs001.example.com issuer= /C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
Note: Openldap on SLES 11 does not examin the /etc/ssl/certs directory, for official certificates!