194 lines
5.1 KiB
HTML
194 lines
5.1 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
|
|
|
|
<title>Lemonldap::NG documentation:
|
|
4.5-SSL-authentication-backend.html</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
<style type="text/css">
|
|
/*<![CDATA[*/
|
|
body{
|
|
background: #ddd;
|
|
font-family: sans-serif;
|
|
font-size: 11pt;
|
|
padding: 0 50px;
|
|
}
|
|
div.main-content{
|
|
padding: 10px;
|
|
background: #fff;
|
|
border: 2px #ccc solid;
|
|
}
|
|
a{
|
|
text-decoration: none;
|
|
}
|
|
p.footer{
|
|
text-align: center;
|
|
margin: 5px 0 0 0;
|
|
}
|
|
.heading-1{
|
|
text-align: center;
|
|
color: orange;
|
|
font-variant: small-caps;
|
|
font-size: 20pt;
|
|
}
|
|
.heading-1-1{
|
|
color: orange;
|
|
font-size: 14pt;
|
|
border-bottom: 2px #ccc solid;
|
|
}
|
|
pre{
|
|
background: #eee;
|
|
border: 2px #ccc solid;
|
|
padding: 5px;
|
|
border-left: 10px #ccc solid;
|
|
}
|
|
ul.star li{
|
|
list-style-type: square;
|
|
}
|
|
/*]]>*/
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id="HLemonLDAP3A3ANGwithSSL">LemonLDAP::NG
|
|
with SSL</span></h2>
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li><a href="#HEnableSSLinApache">Enable SSL in Apache</a></li>
|
|
|
|
<li><a href="#HProtectapplicationwithHTTPS">Protect application with
|
|
HTTPS</a></li>
|
|
|
|
<li><a href=
|
|
"#HTransparentauthenticationtroughSSLcertificates">Transparent
|
|
authentication trough SSL certificates</a></li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HEnableSSLinApache">Enable SSL in
|
|
Apache</span></h3>
|
|
|
|
<p class="paragraph"></p>You have to install mod_ssl for Apache.
|
|
|
|
<p class="paragraph"></p>For CentOS/RHEL:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
# yum install mod_ssl
|
|
</pre>
|
|
</div><br />
|
|
<br />
|
|
For CentOS/RHEL, We advice to disable the default SSL virtualhost
|
|
configured in /etc/httpd/conf.d/ssl.conf.<br />
|
|
<br />
|
|
You can then use this default SSL configuration, for example in the head
|
|
of /etc/lemonldap-ng/apache2.conf:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
SSLProtocol all -SSLv2
|
|
SSLCipherSuite HIGH:MEDIUM
|
|
SSLCertificateFile /etc/httpd/certs/ow2.cert
|
|
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
|
|
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p><strong class="strong">Note</strong>: put your
|
|
own files instead of ow2.cert, ow2.key, ow2-ca.cert
|
|
|
|
<p class="paragraph"></p>If you specify port in virtualhost, then declare
|
|
SSL port:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
NameVirtualHost *:80
|
|
NameVirtualHost *:443
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id="HProtectapplicationwithHTTPS">Protect
|
|
application with HTTPS</span></h3>
|
|
|
|
<p class="paragraph"></p><strong class="strong">Warning</strong>: if you
|
|
configure one application (virtual host) with HTTPS, all other virtual
|
|
hosts on the same Apache instance <strong class="strong">must</strong> be
|
|
configured with HTTPS, because they share the same Handler.
|
|
|
|
<p class="paragraph"></p>In the virtual host configuration, just add:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
SSLEngine On
|
|
</pre>
|
|
</div><br />
|
|
<br />
|
|
And configure the Handler (/var/lib/lemonldap-ng/handler/MyHandler.pm):
|
|
|
|
<div class="code">
|
|
<pre>
|
|
https =>1,
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id=
|
|
"HTransparentauthenticationtroughSSLcertificates">Transparent
|
|
authentication trough SSL certificates</span></h3><br />
|
|
<br />
|
|
It only concerns the portal, which will use SSL client certificates to
|
|
authenticate users. The first step is done trough Apache mod_ssl, and the
|
|
LemonLDAP::NG use environment variables to map certificate with user
|
|
identity.<br />
|
|
<br />
|
|
First, edit the portal virtual host (/etc/lemonldap-ng/apache2.conf):
|
|
|
|
<div class="code">
|
|
<pre>
|
|
SSLEngine On
|
|
SSLVerifyClient optional
|
|
SSLVerifyDepth 1
|
|
SSLOptions +StdEnvVars
|
|
SSLUserName SSL_CLIENT_S_DN_CN
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>Then modify portal script file
|
|
(/var/lib/lemonldap-ng/portal/index.pl):
|
|
|
|
<div class="code">
|
|
<pre>
|
|
authentication => 'SSL',
|
|
SSLVar => 'SSL_CLIENT_S_DN_CN',
|
|
SSLLDAPField => 'uid',
|
|
SSLRequire => 0,
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>The parameters are:
|
|
|
|
<ul class="star">
|
|
<li>authentication: the authentication method, here SSL (can be LDAP,
|
|
Apache, etc.)</li>
|
|
|
|
<li>SSLVar: field of the certificate affected to $user internal
|
|
variable</li>
|
|
|
|
<li>SSLLDAPField: attribute in LDAP directory to use in mapping</li>
|
|
|
|
<li>SSLRequire: if true, do not display authentication form if SSL
|
|
certificate authentication fails (false by defautl).</li>
|
|
</ul><strong class="strong">Note</strong>: SSLLDAPField is not required if
|
|
you do not use userDBLDAP.
|
|
</div>
|
|
|
|
<p class="footer"><a href="index.html">Index</a></p>
|
|
</body>
|
|
</html>
|