<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.5-SSL-authentication-backend.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HLemonLDAP3A3ANGwithSSL">LemonLDAP::NG with SSL</span></h2> <p class="paragraph"></p> <ul> <li><a href="#HEnableSSLinApache">Enable SSL in Apache</a></li> <li><a href="#HProtectapplicationwithHTTPS">Protect application with HTTPS</a></li> <li><a href= "#HTransparentauthenticationtroughSSLcertificates">Transparent authentication trough SSL certificates</a></li> </ul> <h3 class="heading-1-1"><span id="HEnableSSLinApache">Enable SSL in Apache</span></h3> <p class="paragraph"></p>You have to install mod_ssl for Apache. <p class="paragraph"></p>For CentOS/RHEL: <div class="code"> <pre> # yum install mod_ssl </pre> </div><br /> <br /> For CentOS/RHEL, We advice to disable the default SSL virtualhost configured in /etc/httpd/conf.d/ssl.conf.<br /> <br /> You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/apache2.conf: <div class="code"> <pre> SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/httpd/certs/ow2.cert SSLCertificateKeyFile /etc/httpd/certs/ow2.key SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert </pre> </div> <p class="paragraph"></p><strong class="strong">Note</strong>: put your own files instead of ow2.cert, ow2.key, ow2-ca.cert <p class="paragraph"></p>If you specify port in virtualhost, then declare SSL port: <div class="code"> <pre> NameVirtualHost *:80 NameVirtualHost *:443 </pre> </div> <h3 class="heading-1-1"><span id="HProtectapplicationwithHTTPS">Protect application with HTTPS</span></h3> <p class="paragraph"></p><strong class="strong">Warning</strong>: if you configure one application (virtual host) with HTTPS, all other virtual hosts on the same Apache instance <strong class="strong">must</strong> be configured with HTTPS, because they share the same Handler. <p class="paragraph"></p>In the virtual host configuration, just add: <div class="code"> <pre> SSLEngine On </pre> </div><br /> <br /> And configure the Handler (/var/lib/lemonldap-ng/handler/MyHandler.pm): <div class="code"> <pre> https =>1, </pre> </div> <h3 class="heading-1-1"><span id= "HTransparentauthenticationtroughSSLcertificates">Transparent authentication trough SSL certificates</span></h3><br /> <br /> It only concerns the portal, which will use SSL client certificates to authenticate users. The first step is done trough Apache mod_ssl, and the LemonLDAP::NG use environment variables to map certificate with user identity.<br /> <br /> First, edit the portal virtual host (/etc/lemonldap-ng/apache2.conf): <div class="code"> <pre> SSLEngine On SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars SSLUserName SSL_CLIENT_S_DN_CN </pre> </div> <p class="paragraph"></p>Then modify portal script file (/var/lib/lemonldap-ng/portal/index.pl): <div class="code"> <pre> authentication => 'SSL', SSLVar => 'SSL_CLIENT_S_DN_CN', SSLLDAPField => 'uid', SSLRequire => 0, </pre> </div> <p class="paragraph"></p>The parameters are: <ul class="star"> <li>authentication: the authentication method, here SSL (can be LDAP, Apache, etc.)</li> <li>SSLVar: field of the certificate affected to $user internal variable</li> <li>SSLLDAPField: attribute in LDAP directory to use in mapping</li> <li>SSLRequire: if true, do not display authentication form if SSL certificate authentication fails (false by defautl).</li> </ul><strong class="strong">Note</strong>: SSLLDAPField is not required if you do not use userDBLDAP. </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>