1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="ssl" id="ssl">SSL</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"> ✔ </td><td class="col1"> </td><td class="col2"> </td>
</tr>
</table>
</div>
<!-- SECTION "SSL" [1-70] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> uses <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">Apache SSL module</a>, like any other <a href="../../documentation/1.3/authapache.html" class="wikilink1" title="documentation:1.3:authapache">Apache authentication module</a>, with extra features:
</p>
<ul>
<li class="level1"><div class="li"> Choice of any certificate attribute as user main login</div>
</li>
<li class="level1"><div class="li"> Allow no certificate to chain with other authentication methods</div>
</li>
</ul>
</div>
<!-- SECTION "Presentation" [71-394] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
</div>
<!-- SECTION "Configuration" [395-421] -->
<h3><a name="enable_ssl_in_apache" id="enable_ssl_in_apache">Enable SSL in Apache</a></h3>
<div class="level3">
<p>
You have to install mod_ssl for Apache.
</p>
<p>
For CentOS/RHEL:
</p>
<pre class="code shell">yum install mod_ssl</pre>
<p>
In Debian/Ubuntu mod_ssl is already shipped in <code>apache2.2-common</code> package.
</p>
<p>
<p><div class="notetip">For CentOS/RHEL, We advice to disable the default <acronym title="Secure Sockets Layer">SSL</acronym> virtual host configured in /etc/httpd/conf.d/ssl.conf.
</div></p>
</p>
</div>
<!-- SECTION "Enable SSL in Apache" [422-758] -->
<h3><a name="apache_ssl_global_configuration" id="apache_ssl_global_configuration">Apache SSL global configuration</a></h3>
<div class="level3">
<p>
You can then use this default <acronym title="Secure Sockets Layer">SSL</acronym> configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:
</p>
<pre class="code file apache"><span class="kw1">SSLProtocol</span> <span class="kw2">all</span> -SSLv2
<span class="kw1">SSLCipherSuite</span> HIGH:MEDIUM
<span class="kw1">SSLCertificateFile</span> /etc/httpd/certs/ow2.cert
<span class="kw1">SSLCertificateKeyFile</span> /etc/httpd/certs/ow2.key
<span class="kw1">SSLCACertificateFile</span> /etc/httpd/certs/ow2-ca.cert</pre>
<p>
<p><div class="noteclassic">
Put your own files instead of <code>ow2.cert</code>, <code>ow2.key</code>, <code>ow2-ca.cert</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>SSLCertificateFile</strong>: Server certificate</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCertificateKeyFile</strong>: Server private key</div>
</li>
<li class="level1"><div class="li"> <strong>SSLCACertificateFile</strong>: CA certificate to validate client certificates</div>
</li>
</ul>
<p>
</div></p>
</p>
<p>
If you specify port in virtual host, then declare <acronym title="Secure Sockets Layer">SSL</acronym> port:
</p>
<pre class="code file apache"><span class="kw1">NameVirtualHost</span> *:80
<span class="kw1">NameVirtualHost</span> *:<span class="nu0">443</span></pre>
</div>
<!-- SECTION "Apache SSL global configuration" [759-1524] -->
<h3><a name="apache_portal_ssl_configuration" id="apache_portal_ssl_configuration">Apache portal SSL configuration</a></h3>
<div class="level3">
<p>
Edit the portal virtual host to enable <acronym title="Secure Sockets Layer">SSL</acronym> double authentication:
</p>
<pre class="code file apache"><span class="kw1">SSLEngine</span> <span class="kw2">On</span>
<span class="kw1">SSLVerifyClient</span> optional
<span class="kw1">SSLVerifyDepth</span> 10
<span class="kw1">SSLOptions</span> +StdEnvVars
<span class="kw1">SSLUserName</span> SSL_CLIENT_S_DN_CN</pre>
<p>
All <acronym title="Secure Sockets Layer">SSL</acronym> options are documented in <a href="http://httpd.apache.org/docs/current/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_ssl.html" rel="nofollow">Apache mod_ssl page</a>.
</p>
<p>
Here are the main options used by <acronym title="LemonLDAP::NG">LL::NG</acronym>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>SSLVerifyClient</strong>: set to <code>optional</code> to allow user with a bad certificate to access to <acronym title="LemonLDAP::NG">LL::NG</acronym> portal page. To switch to another authentication backend, use the <a href="../../documentation/1.3/authmulti.html" class="wikilink1" title="documentation:1.3:authmulti">Multi</a> module, for example: <code>Multi <acronym title="Secure Sockets Layer">SSL</acronym>;<acronym title="Lightweight Directory Access Protocol">LDAP</acronym></code></div>
</li>
<li class="level1"><div class="li"> <strong>SSLOptions</strong>: set to <code>+StdEnvVars</code> to get certificate fields in environment variables</div>
</li>
<li class="level1"><div class="li"> <strong>SSLUserName</strong> (optional): certificate field that will be used to identify user in <acronym title="LemonLDAP::NG">LL::NG</acronym> portal virtual host</div>
</li>
</ul>
</div>
<!-- SECTION "Apache portal SSL configuration" [1525-2361] -->
<h3><a name="configuration_of_lemonldapng" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></h3>
<div class="level3">
<p>
In Manager, go in <code>General Parameters</code> > <code>Authentication modules</code> and choose <acronym title="Secure Sockets Layer">SSL</acronym> for authentication.
</p>
<p>
<p><div class="notetip">You can then choose any other module for users and password.
</div></p>
</p>
<p>
Then, go in <code><acronym title="Secure Sockets Layer">SSL</acronym> parameters</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: authentication level for this module</div>
</li>
<li class="level1"><div class="li"> <strong>Extracted certificate field</strong>: field of the certificate affected to $user internal variable</div>
</li>
</ul>
</div>
<!-- SECTION "Configuration of LemonLDAP::NG" [2362-] --></div><!-- closes <div class="dokuwiki export">-->
|
