LemonLDAP::NG with SSL
- Enable SSL in Apache
- Protect application with HTTPS
- Transparent authentication trough SSL certificates
Enable SSL in Apache
You have to install mod_ssl for Apache. For CentOS/RHEL:# yum install mod_ssl
For CentOS/RHEL, We advice to disable the default SSL virtualhost configured in /etc/httpd/conf.d/ssl.conf.
You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/apache2.conf:
SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/httpd/certs/ow2.cert SSLCertificateKeyFile /etc/httpd/certs/ow2.key SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
NameVirtualHost *:80 NameVirtualHost *:443
Protect application with HTTPS
Warning: if you configure one application (virtual host) with HTTPS, all other virtual hosts on the same Apache instance must be configured with HTTPS, because they share the same Handler. In the virtual host configuration, just add:SSLEngine On
And configure the Handler (/var/lib/lemonldap-ng/handler/MyHandler.pm):
https =>1,
Transparent authentication trough SSL certificates
It only concerns the portal, which will use SSL client certificates to authenticate users. The first step is done trough Apache mod_ssl, and the LemonLDAP::NG use environment variables to map certificate with user identity.
First, edit the portal virtual host (/etc/lemonldap-ng/apache2.conf):
SSLEngine On SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars
authentication => 'SSL', SSLVar => 'SSL_CLIENT_S_DN_CN', SSLLDAPField => 'uid', SSLRequire => 0,
- authentication: the authentication method, here SSL (can be LDAP, Apache, etc.)
- SSLVar: field of the certificate to use in mapping
- SSLLDAPField: attribute in LDAP directory to use in mapping
- SSLRequire: if true, do not display authentication form if SSL certificate authentication fails (false by defautl).