LemonLDAP::NG with SSL

Enable SSL in Apache

You have to install mod_ssl for Apache.

For CentOS/RHEL:
# yum install mod_ssl


For CentOS/RHEL, We advice to disable the default SSL virtualhost configured in /etc/httpd/conf.d/ssl.conf.

You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/apache2.conf:
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/certs/ow2.cert
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert

Note: put your own files instead of ow2.cert, ow2.key, ow2-ca.cert

If you specify port in virtualhost, then declare SSL port:
NameVirtualHost *:80
NameVirtualHost *:443

Protect application with HTTPS

Warning: if you configure one application (virtual host) with HTTPS, all other virtual hosts on the same Apache instance must be configured with HTTPS, because they share the same Handler.

In the virtual host configuration, just add:
SSLEngine On


And configure the Handler (/var/lib/lemonldap-ng/handler/MyHandler.pm):
https =>1,

Transparent authentication trough SSL certificates



It only concerns the portal, which will use SSL client certificates to authenticate users. The first step is done trough Apache mod_ssl, and the LemonLDAP::NG use environment variables to map certificate with user identity.

First, edit the portal virtual host (/etc/lemonldap-ng/apache2.conf):
SSLEngine On
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN

Then modify portal script file (/var/lib/lemonldap-ng/portal/index.pl):
authentication => 'SSL',
SSLVar => 'SSL_CLIENT_S_DN_CN',
SSLLDAPField => 'uid',
SSLRequire => 0,

The parameters are: Note: SSLLDAPField is not required if you do not use userDBLDAP.