dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
de34745012
lemonldap-ng/doc/pages/documentation/2.0/authssl.html

179 lines
6.9 KiB
HTML
Raw Normal View History

Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="ssl" id="ssl">SSL</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table>
</div>
<!-- SECTION "SSL" [1-70] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
Update documentation in trunk, use 2.0
2015-05-22 17:11:57 +02:00
<acronym title="LemonLDAP::NG">LL::NG</acronym> uses <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">Apache SSL module</a>, like any other <a href="../../documentation/2.0/authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module</a>, with extra features:
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
</p>
<ul>
<li class="level1"><div class="li"> Choice of any certificate attribute as user main login</div>
</li>
<li class="level1"><div class="li"> Allow no certificate to chain with other authentication methods</div>
</li>
</ul>
</div>
<!-- SECTION "Presentation" [71-394] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
</div>
<!-- SECTION "Configuration" [395-421] -->
<h3><a name="enable_ssl_in_apache" id="enable_ssl_in_apache">Enable SSL in Apache</a></h3>
<div class="level3">
<p>
You have to install mod_ssl for Apache.
</p>
<p>
For CentOS/RHEL:
</p>
<pre class="code shell">yum install mod_ssl</pre>
<p>
In Debian/Ubuntu mod_ssl is already shipped in <code>apache2.2-common</code> package.
</p>
<p>
<p><div class="notetip">For CentOS/RHEL, We advice to disable the default <acronym title="Secure Sockets Layer">SSL</acronym> virtual host configured in /etc/httpd/conf.d/ssl.conf.
</div></p>
</p>
</div>
<!-- SECTION "Enable SSL in Apache" [422-758] -->
<h3><a name="apache_ssl_global_configuration" id="apache_ssl_global_configuration">Apache SSL global configuration</a></h3>
<div class="level3">
<p>
You can then use this default <acronym title="Secure Sockets Layer">SSL</acronym> configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:
</p>
<pre class="code file apache"><span class="kw1">SSLProtocol</span> <span class="kw2">all</span> -SSLv2
<span class="kw1">SSLCipherSuite</span> HIGH:MEDIUM
<span class="kw1">SSLCertificateFile</span> /etc/httpd/certs/ow2.cert
<span class="kw1">SSLCertificateKeyFile</span> /etc/httpd/certs/ow2.key
<span class="kw1">SSLCACertificateFile</span> /etc/httpd/certs/ow2-ca.cert</pre>
<p>
<p><div class="noteclassic">
Put your own files instead of <code>ow2.cert</code>, <code>ow2.key</code>, <code>ow2-ca.cert</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>SSLCertificateFile</strong>: Server certificate</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCertificateKeyFile</strong>: Server private key</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCACertificateFile</strong>: CA certificate to validate client certificates</div>
</li>
</ul>
<p>
</div></p>
</p>
<p>
If you specify port in virtual host, then declare <acronym title="Secure Sockets Layer">SSL</acronym> port:
</p>
<pre class="code file apache"><span class="kw1">NameVirtualHost</span> *:80
<span class="kw1">NameVirtualHost</span> *:<span class="nu0">443</span></pre>
</div>
<!-- SECTION "Apache SSL global configuration" [759-1524] -->
<h3><a name="apache_portal_ssl_configuration" id="apache_portal_ssl_configuration">Apache portal SSL configuration</a></h3>
<div class="level3">
<p>
Edit the portal virtual host to enable <acronym title="Secure Sockets Layer">SSL</acronym> double authentication:
</p>
<pre class="code file apache"><span class="kw1">SSLEngine</span> <span class="kw2">On</span>
<span class="kw1">SSLVerifyClient</span> optional
<span class="kw1">SSLVerifyDepth</span> 10
<span class="kw1">SSLOptions</span> +StdEnvVars
<span class="kw1">SSLUserName</span> SSL_CLIENT_S_DN_CN</pre>
<p>
All <acronym title="Secure Sockets Layer">SSL</acronym> options are documented in <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">Apache mod_ssl page</a>.
</p>
<p>
Here are the main options used by <acronym title="LemonLDAP::NG">LL::NG</acronym>:
</p>
<ul>
Update documentation in trunk, use 2.0
2015-05-22 17:11:57 +02:00
<li class="level1"><div class="li"> <strong>SSLVerifyClient</strong>: set to <code>optional</code> to allow user with a bad certificate to access to <acronym title="LemonLDAP::NG">LL::NG</acronym> portal page. To switch to another authentication backend, use the <a href="../../documentation/2.0/authmulti.html" class="wikilink1" title="documentation:2.0:authmulti">Multi</a> module, for example: <code>Multi <acronym title="Secure Sockets Layer">SSL</acronym>;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym></code></div>
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
</li>
<li class="level1"><div class="li"> <strong>SSLOptions</strong>: set to <code>+StdEnvVars</code> to get certificate fields in environment variables</div>
</li>
<li class="level1"><div class="li"> <strong>SSLUserName</strong> (optional): certificate field that will be used to identify user in <acronym title="LemonLDAP::NG">LL::NG</acronym> portal virtual host</div>
</li>
</ul>
</div>
Fix doc symlink and update doc
2012-07-27 16:11:43 +02:00
<!-- SECTION "Apache portal SSL configuration" [1525-2361] -->
Update doc.pl script to use the current documentation version (#442)
2012-02-25 23:45:20 +01:00
<h3><a name="configuration_of_lemonldapng" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></h3>
<div class="level3">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose <acronym title="Secure Sockets Layer">SSL</acronym> for authentication.
</p>
<p>
<p><div class="notetip">You can then choose any other module for users and password.
</div></p>
</p>
<p>
Then, go in <code><acronym title="Secure Sockets Layer">SSL</acronym> parameters</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: authentication level for this module</div>
</li>
<li class="level1"><div class="li"> <strong>Extracted certificate field</strong>: field of the certificate affected to $user internal variable</div>
</li>
</ul>
</div>
Fix doc symlink and update doc
2012-07-27 16:11:43 +02:00
<!-- SECTION "Configuration of LemonLDAP::NG" [2362-] --></div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue Copy Permalink