dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5d35b3271f
lemonldap-ng/po-doc/fr/pages/documentation/current/authssl.html
Clément Oudot 9a938793d8 FR documentation update
2017-08-30 16:47:26 +00:00

377 lines
18 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8" />
<title>documentation:2.0:authssl</title><!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else --><!-- //endif -->
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authssl"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authssl.html"/>
<link rel="contents" href="authssl.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authssl","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script><!-- //endif -->
</head>
<body>
<div class="dokuwiki export container"><!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#with_apache">With Apache</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#enable_ssl_in_apache">Activer SSL dans Apache</a></div></li>
<li class="level3"><div class="li"><a href="#apache_ssl_global_configuration">Configuration globale de ssl dans Apache</a></div></li>
<li class="level3"><div class="li"><a href="#apache_portal_ssl_configuration">Configuration SSL du portail dans Apache</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#with_nginx">With Nginx</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng">Configuration de LemonLDAP::NG</a></div></li>
<li class="level2"><div class="li"><a href="#auto_reloading_ssl_certificates">Rechargement automatique des certificats SSL</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#ssl_by_ajax">SSL by Ajax</a></div></li>
</ul>
</div>
</div><!-- TOC END -->
<h1 class="sectionedit1" id="ssl">SSL</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentification </th><th class="col1 centeralign"> Utilisateurs </th><th class="col2 centeralign"> Mot-de-passe </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table></div><!-- EDIT2 TABLE [19-76] -->
</div><!-- EDIT1 SECTION "SSL" [1-77] -->
<h2 class="sectionedit3" id="presentation">Présentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> utilise le <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">module SSL d'Apache</a>, comme n'importe quel <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">module d'authentification d'Apache</a> avec quelques fonctionnalités supplémentaires :
</p>
<ul>
<li class="level1"><div class="li"> Choix de n'importe quel attribut du certificat comme nom d'utilisateur principal</div>
</li>
<li class="level1"><div class="li"> Autoriser les clients sans certificat dans le chaînage avec d'autres méthodes d'authentification</div>
</li>
</ul>
</div><!-- EDIT3 SECTION "Presentation" [78-401] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG <em>(compatible with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>)</em>, you can activate “SSL by Ajax request” in the manager. See <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a> below.
</p>
</div><!-- EDIT4 SECTION "Configuration" [402-713] -->
<h3 class="sectionedit5" id="with_apache">With Apache</h3>
<div class="level3">
</div>
<h4 id="enable_ssl_in_apache">Activer SSL dans Apache</h4>
<div class="level4">
<p>
Installer mod_ssl pour Apache.
</p>
<p>
Pour CentOS/RHEL :
</p>
<pre class="code shell">yum install mod_ssl</pre>
<div class="notetip">In Debian/Ubuntu mod_ssl is already shipped in <code>apache*-common</code> package.
</div><div class="notetip">Pour CentOS/RHEL, il est recommandé de désactiver l'hôte virtuel SSL par défaut configuré dans /etc/httpd/conf.d/ssl.conf.
</div>
</div>
<h4 id="apache_ssl_global_configuration">Configuration globale de ssl dans Apache</h4>
<div class="level4">
<p>
Il est possible d'utiliser cette configuration SSL par défaut, par exemple en tête de /etc/lemonldap-ng/portal-apache2.conf :
</p>
<pre class="code file apache"><span class="kw1">SSLProtocol</span> <span class="kw2">all</span> -SSLv2
<span class="kw1">SSLCipherSuite</span> HIGH:MEDIUM
<span class="kw1">SSLCertificateFile</span> /etc/httpd/certs/ow2.cert
<span class="kw1">SSLCertificateKeyFile</span> /etc/httpd/certs/ow2.key
<span class="kw1">SSLCACertificateFile</span> /etc/httpd/certs/ow2-ca.cert</pre>
<div class="noteclassic">Placer vos propres fichiers au lieu de <code>ow2.cert</code>, <code>ow2.key</code>, <code>ow2-ca.cert</code>:<ul>
<li class="level1"><div class="li"> <strong>SSLCertificateFile</strong> : certificat serveur</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCertificateKeyFile</strong> : clef privée du serveur</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCACertificateFile</strong> : certificat d'autorité pour valider les certificats clients</div>
</li>
</ul>
</div>
<p>
SI le port est spécifié, déclarer le port SSL :
</p>
<pre class="code file apache"><span class="kw1">NameVirtualHost</span> *:<span class="nu0">80</span>
<span class="kw1">NameVirtualHost</span> *:<span class="nu0">443</span></pre>
</div>
<h4 id="apache_portal_ssl_configuration">Configuration SSL du portail dans Apache</h4>
<div class="level4">
<p>
Éditer l'hôte virtuel du portail pour activer la double authentification SSL :
</p>
<pre class="code file apache"><span class="kw1">SSLEngine</span> <span class="kw2">On</span>
<span class="kw1">SSLVerifyClient</span> optional
<span class="kw1">SSLVerifyDepth</span> <span class="nu0">10</span>
<span class="kw1">SSLOptions</span> +StdEnvVars
<span class="kw1">SSLUserName</span> SSL_CLIENT_S_DN_CN</pre>
<p>
Toutes les options SSL sont documentées dans la <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">page mod_ssl d'Apache</a>.
</p>
<p>
Ci-dessous les principales options utilisées par <abbr title="LemonLDAP::NG">LL::NG</abbr> :
</p>
<ul>
<li class="level1"><div class="li"> <strong>SSLVerifyClient</strong> : mettre à <code>optional</code> pour autoriser les utilisateurs ne disposant pas d'un certificat valide à accéder à la page du portail <abbr title="LemonLDAP::NG">LL::NG</abbr> Pour basculer vers un autre backend d'authentification, utiliser le module <a href="authmulti.html" class="wikilink1" title="documentation:2.0:authmulti">Multi</a>, par exemple : <code>Multi SSL;LDAP</code></div>
</li>
<li class="level1"><div class="li"> <strong>SSLOptions</strong> : mettre à <code>+StdEnvVars</code> pour obtenir les champs du certificat dans les variables d'environnement</div>
</li>
<li class="level1"><div class="li"> <strong>SSLUserName</strong> (optionnel) : champ du certificat à utiliser pour identifier pour identifier un utilisateur dans l'hôte virtuel du portail <abbr title="LemonLDAP::NG">LL::NG</abbr></div>
</li>
</ul>
</div><!-- EDIT5 SECTION "With Apache" [714-2684] -->
<h3 class="sectionedit6" id="with_nginx">With Nginx</h3>
<div class="level3">
<p>
Enable SSL:
</p>
<pre class="code file nginx">ssl on;
ssl_verify_client optional;
ssl_certificate /etc/letsencrypt/live/my/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my/privkey.pem;
ssl_verify_depth 3;
ssl_client_certificate /etc/nginx/ssl/ca.pem;
ssl_crl /etc/nginx/ssl/crl/my.crl;</pre>
<p>
You must also export SSL_CLIENT_S_<abbr title="Distinguished Name">DN</abbr>_CN in FastCGI params:
</p>
<pre class="code file nginx">map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~/CN=(?&lt;CN&gt;[^/]+) $CN;
}
fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;</pre>
</div><!-- EDIT6 SECTION "With Nginx" [2685-3246] -->
<h3 class="sectionedit7" id="configuration_of_lemonldapng">Configuration de LemonLDAP::NG</h3>
<div class="level3">
<p>
Dans le manager, aller dans <code>Paramètres généraux</code> &gt; <code>Modules d'authentification</code> et choisir SSL pour l'authentification.
</p>
<div class="notetip">Vous pouvez ensuite choisir vos modules d'utilisateurs et de mots-de-passe.
</div>
<p>
Aller ensuite dans <code>Paramètres SSL</code> :
</p>
<ul>
<li class="level1"><div class="li"> <strong>Niveau d'authentification</strong> : niveau d'authentification pour ce module</div>
</li>
<li class="level1"><div class="li"> <strong>Champ extrait du certificat</strong> : champ du certificat affecté à la variable interne $user</div>
</li>
</ul>
</div><!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [3247-3672] -->
<h3 class="sectionedit8" id="auto_reloading_ssl_certificates">Rechargement automatique des certificats SSL</h3>
<div class="level3">
<p>
Problème connu : de nombreux navigateurs (Firefox, Chrome) enregistrent le fait qu'un certificat n'est pas disponible un certain temps. C'est particulièrement important pour les cartes à puce : lorsqu'elle n'est pas insérée avant que le navigateur ne démarre, l'utilisateur doit redémarrer ce dernier, ou au moins recharger la page (F5).
</p>
<p>
Il est possible d'éviter ceci avec un code AJAX et 3 "locations" Apache.
</p>
<p>
1. Modifier l'hôte virtuel du portail comme suit :
</p>
<pre class="code file apache"> <span class="kw1">SSLEngine</span> <span class="kw2">On</span>
<span class="kw1">SSLCACertificateFile</span> /etc/apache2/ssl/ca.crt
<span class="kw1">SSLCertificateKeyFile</span> /etc/apache2/ssl/lemonldap.key
<span class="kw1">SSLCertificateFile</span> /etc/apache2/ssl/lemonldap.crt
&nbsp;
<span class="kw1">SSLVerifyDepth</span> <span class="nu0">10</span>
<span class="kw1">SSLOptions</span> +StdEnvVars
<span class="kw1">SSLUserName</span> SSL_CLIENT_S_DN_CN
&nbsp;
<span class="co1"># DocumentRoot</span>
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/portal/
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/portal/&gt;
<span class="kw1">Order</span> <span class="kw1">Deny</span>,<span class="kw1">Allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
<span class="kw1">SSLVerifyClient</span> <span class="kw2">none</span>
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
&lt;<span class="kw3">Location</span> /index&gt;
<span class="kw1">Order</span> <span class="kw1">Deny</span>,<span class="kw1">Allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">SSLVerifyClient</span> <span class="kw2">none</span>
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
&lt;<span class="kw3">Location</span> /testssl&gt;
<span class="kw1">Order</span> <span class="kw1">Deny</span>,<span class="kw1">Allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">SSLVerifyClient</span> <span class="kw1">require</span>
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="kw1">Alias</span> /sslok /var/lib/lemonldap-ng/portal
&lt;<span class="kw3">Location</span> /sslok&gt;
<span class="kw1">Order</span> <span class="kw1">Deny</span>,<span class="kw1">Allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">SSLVerifyClient</span> <span class="kw1">require</span>
&lt;/<span class="kw3">Location</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> /index/ est une page non protégée pour afficher un bouton de test SSL</div>
</li>
<li class="level1"><div class="li"> /testssl/ est une page protégée par SSL qui vérifie le certificat</div>
</li>
<li class="level1"><div class="li"> /sslok/ est le nouveau portail LemonLDAP::NG. Il faut declarer la nouvelle url dans le manager : Portail → <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/sslok/" class="urlextern" title="https://auth.example.com/sslok/" rel="nofollow">https://auth.example.com/sslok/</a></div>
</li>
</ul>
<p>
2. Il faut ensuite construire la page Ajax, par exemple dans /index/bouton.html. Ça ressemble à :
</p>
<pre class="code file html4strict"><span class="sc2">&lt;<a href="http://december.com/html/4/element/body.html"><span class="kw2">body</span></a>&gt;</span>
<span class="sc2">&lt;<a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a> <span class="kw3">src</span><span class="sy0">=</span><span class="st0">"./jquery-2.1.4.min.js"</span> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"text/javascript"</span>&gt;</span> <span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a>&gt;</span>
<span class="sc-1">&lt;!--&lt;script src="./jquery-ui-1.8-rass.js" type="text/javascript"&gt; &lt;/script&gt;--&gt;</span>
&nbsp;
&nbsp;
<span class="sc2">&lt;<a href="http://december.com/html/4/element/a.html"><span class="kw2">a</span></a> <span class="kw3">href</span><span class="sy0">=</span><span class="st0">"http://www.google.fr"</span> <span class="kw3">class</span><span class="sy0">=</span><span class="st0">"enteteBouton"</span> <span class="kw3">id</span><span class="sy0">=</span><span class="st0">"continuerButton"</span>&gt;&lt;<a href="http://december.com/html/4/element/img.html"><span class="kw2">img</span></a> <span class="kw3">src</span><span class="sy0">=</span>authent.png&gt;&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/a.html"><span class="kw2">a</span></a>&gt;</span>
<span class="sc2">&lt;<a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a>&gt;</span>
$('.enteteBouton').click( function (e) {
var b=navigator.userAgent.toLowerCase();
if(b.indexOf("msie")!==-1){
document.execCommand("ClearAuthenticationCache")
}
e.preventDefault();
$.ajax({
url:"https://auth.example.com/testssl",
beforeSend:function(){},
type:"GET",
dataType:"html",
success:function(c,a){
if (c !== "") {
alert("Carte OK");
window.location.href = "https://auth.example.com/sslok/";
}
else {
alert('Carte KO');
}
},
error:function (xhr, ajaxOptions, thrownError){
if(xhr.status==404) {
alert("Carte OK");
window.location.href = "https://auth.example.com/sslok/";
}
else {
alert('Carte KO');
}
},
complete:function(c,a){}
});
});
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a>&gt;</span>
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/body.html"><span class="kw2">body</span></a>&gt;</span></pre>
<div class="notewarning">It is incompatible with authentication combination because of Apache parameter “SSLVerifyClient”, which must have the value “require”. To enable SSL with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>, use <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a>
</div>
</div><!-- EDIT8 SECTION "Auto reloading SSL Certificates" [3673-6936] -->
<h2 class="sectionedit9" id="ssl_by_ajax">SSL by Ajax</h2>
<div class="level2">
<p>
If you enable this feature, you must configure 2 portal virtual hosts:
</p>
<ul>
<li class="level1"><div class="li"> the main <em>(which corresponds to portal <abbr title="Uniform Resource Locator">URL</abbr>)</em> with <code>SSLVerifyClient none</code></div>
</li>
<li class="level1"><div class="li"> the second with <code>SSLVerifyClient require</code> and a <code>Header set Allow-Control-Allow-Origin https://portal-main-url</code></div>
</li>
</ul>
<p>
then declare the second <abbr title="Uniform Resource Locator">URL</abbr> in SSL options in the Manager. That's all ! Then you can chain it in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a>.
</p>
</div><!-- EDIT9 SECTION "SSL by Ajax" [6937-] -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink