Sophie

Sophie

distrib > Mandriva > cooker > x86_64 > by-pkgid > a100f0997407ff82957e996a98fb9db2 > files > 198

lemonldap-ng-1.0-0.3.rc1mdv2011.0.noarch.rpm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
  <meta name="generator" content=
  "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />

  <title>Lemonldap::NG documentation:
  4.5-SSL-authentication-backend.html</title>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
  <style type="text/css">
/*<![CDATA[*/
    body{
      background: #ddd;
      font-family: sans-serif;
      font-size: 11pt;
      padding: 0 50px;
    }
    div.main-content{
      padding: 10px;
      background: #fff;
      border: 2px #ccc solid;
    }
    a{
      text-decoration: none;
    }
    p.footer{
      text-align: center;
      margin: 5px 0 0 0;
    }
    .heading-1{
      text-align: center;
      color: orange;
      font-variant: small-caps;
      font-size: 20pt;
    }
    .heading-1-1{
      color: orange;
      font-size: 14pt;
      border-bottom: 2px #ccc solid;
    }
    pre{
      background: #eee;
      border: 2px #ccc solid;
      padding: 5px;
      border-left: 10px #ccc solid;
    }
    ul.star li{
      list-style-type: square;
    }
  /*]]>*/
  </style>
</head>

<body>
  <div class="main-content">
    <h2 class="heading-1"><span id="HLemonLDAP3A3ANGwithSSL">LemonLDAP::NG
    with SSL</span></h2>

    <p class="paragraph"></p>

    <ul>
      <li><a href="#HEnableSSLinApache">Enable SSL in Apache</a></li>

      <li><a href="#HProtectapplicationwithHTTPS">Protect application with
      HTTPS</a></li>

      <li><a href=
      "#HTransparentauthenticationtroughSSLcertificates">Transparent
      authentication trough SSL certificates</a></li>
    </ul>

    <h3 class="heading-1-1"><span id="HEnableSSLinApache">Enable SSL in
    Apache</span></h3>

    <p class="paragraph"></p>You have to install mod_ssl for Apache.

    <p class="paragraph"></p>For CentOS/RHEL:

    <div class="code">
      <pre>
# yum install mod_ssl
</pre>
    </div><br />
    <br />
    For CentOS/RHEL, We advice to disable the default SSL virtualhost
    configured in /etc/httpd/conf.d/ssl.conf.<br />
    <br />
    You can then use this default SSL configuration, for example in the head
    of /etc/lemonldap-ng/apache2.conf:

    <div class="code">
      <pre>
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/certs/ow2.cert
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
</pre>
    </div>

    <p class="paragraph"></p><strong class="strong">Note</strong>: put your
    own files instead of ow2.cert, ow2.key, ow2-ca.cert

    <p class="paragraph"></p>If you specify port in virtualhost, then declare
    SSL port:

    <div class="code">
      <pre>
NameVirtualHost *:80
NameVirtualHost *:443
</pre>
    </div>

    <h3 class="heading-1-1"><span id="HProtectapplicationwithHTTPS">Protect
    application with HTTPS</span></h3>

    <p class="paragraph"></p><strong class="strong">Warning</strong>: if you
    configure one application (virtual host) with HTTPS, all other virtual
    hosts on the same Apache instance <strong class="strong">must</strong> be
    configured with HTTPS, because they share the same Handler.

    <p class="paragraph"></p>In the virtual host configuration, just add:

    <div class="code">
      <pre>
SSLEngine On
</pre>
    </div><br />
    <br />
    And configure the Handler (/var/lib/lemonldap-ng/handler/MyHandler.pm):

    <div class="code">
      <pre>
https =&gt;1,
</pre>
    </div>

    <h3 class="heading-1-1"><span id=
    "HTransparentauthenticationtroughSSLcertificates">Transparent
    authentication trough SSL certificates</span></h3><br />
    <br />
    It only concerns the portal, which will use SSL client certificates to
    authenticate users. The first step is done trough Apache mod_ssl, and the
    LemonLDAP::NG use environment variables to map certificate with user
    identity.<br />
    <br />
    First, edit the portal virtual host (/etc/lemonldap-ng/apache2.conf):

    <div class="code">
      <pre>
SSLEngine On
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
</pre>
    </div>

    <p class="paragraph"></p>Then modify portal script file
    (/var/lib/lemonldap-ng/portal/index.pl):

    <div class="code">
      <pre>
authentication =&gt; 'SSL',
SSLVar =&gt; 'SSL_CLIENT_S_DN_CN',
SSLLDAPField =&gt; 'uid',
SSLRequire =&gt; 0,
</pre>
    </div>

    <p class="paragraph"></p>The parameters are:

    <ul class="star">
      <li>authentication: the authentication method, here SSL (can be LDAP,
      Apache, etc.)</li>

      <li>SSLVar: field of the certificate affected to $user internal
      variable</li>

      <li>SSLLDAPField: attribute in LDAP directory to use in mapping</li>

      <li>SSLRequire: if true, do not display authentication form if SSL
      certificate authentication fails (false by defautl).</li>
    </ul><strong class="strong">Note</strong>: SSLLDAPField is not required if
    you do not use userDBLDAP.
  </div>

  <p class="footer"><a href="index.html">Index</a></p>
</body>
</html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional