Authentification | Utilisateurs | Mot-de-passe |
---|---|---|
✔ |
LL::NG utilise le module SSL d'Apache, comme n'importe quel module d'authentification d'Apache avec quelques fonctionnalités supplémentaires :
Installer mod_ssl pour Apache.
Pour CentOS/RHEL :
yum install mod_ssl
Dans Debian/Ubuntu mod_ssl est installé avec le paquet apache2.2-common
.
You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:
SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/httpd/certs/ow2.cert SSLCertificateKeyFile /etc/httpd/certs/ow2.key SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
ow2.cert
, ow2.key
, ow2-ca.cert
:
If you specify port in virtual host, then declare SSL port:
NameVirtualHost *:80 NameVirtualHost *:443
Edit the portal virtual host to enable SSL double authentication:
SSLEngine On SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLUserName SSL_CLIENT_S_DN_CN
All SSL options are documented in Apache mod_ssl page.
Ci-dessous les principales options utilisées par LL::NG :
optional
pour autoriser les utilisateurs ne disposant pas d'un certificat valide à accéder à la page du portail LL::NG To switch to another authentication backend, use the Multi module, for example: Multi SSL;LDAP
+StdEnvVars
pour obtenir les champs du certificat dans les variables d'environnement
In Manager, go in General Parameters
> Authentication modules
and choose SSL for authentication.
Then, go in SSL parameters
:
A known problematic is that many browser (Firefox, Chrome) remembers the fact that the certificate is not available at a certain time. It is particularly important for smart cards: when the card is not inserted before the browser starts, the user must restart his browser, or at least refresh (F5) the page.
It is possible with AJAX code and 3 Apache locations to bypass this limitation.
1. Modify the portal virtual host to match this example:
SSLEngine On SSLCACertificateFile /etc/apache2/ssl/ca.crt SSLCertificateKeyFile /etc/apache2/ssl/lemonldap.key SSLCertificateFile /etc/apache2/ssl/lemonldap.crt SSLVerifyDepth 10 SSLOptions +StdEnvVars SSLUserName SSL_CLIENT_S_DN_CN # DocumentRoot DocumentRoot /var/lib/lemonldap-ng/portal/ <Directory /var/lib/lemonldap-ng/portal/> Order Deny,Allow Allow from all Options +ExecCGI +FollowSymLinks SSLVerifyClient none </Directory> <Location /index> Order Deny,Allow Allow from all SSLVerifyClient none </Location> <Location /testssl> Order Deny,Allow Allow from all SSLVerifyClient require </Location> Alias /sslok /var/lib/lemonldap-ng/portal <Location /sslok> Order Deny,Allow Allow from all SSLVerifyClient require </Location>
2. Then you need to construct the Ajax page, for example in /index/bouton.html. It looks like this:
<body> <script src="./jquery-2.1.4.min.js" type="text/javascript"> </script> <!--<script src="./jquery-ui-1.8-rass.js" type="text/javascript"> </script>--> <a href="http://www.google.fr" class="enteteBouton" id="continuerButton"><img src=authent.png></a> <script> $('.enteteBouton').click( function (e) { var b=navigator.userAgent.toLowerCase(); if(b.indexOf("msie")!==-1){ document.execCommand("ClearAuthenticationCache") } e.preventDefault(); $.ajax({ url:"https://auth.example.com/testssl", beforeSend:function(){}, type:"GET", dataType:"html", success:function(c,a){ if (c !== "") { alert("Carte OK"); window.location.href = "https://auth.example.com/sslok/"; } else { alert('Carte KO'); } }, error:function (xhr, ajaxOptions, thrownError){ if(xhr.status==404) { alert("Carte OK"); window.location.href = "https://auth.example.com/sslok/"; } else { alert('Carte KO'); } }, complete:function(c,a){} }); }); </script> </body>