Monday, March 15, 2010

Part 2- Configuring Apache to use LDAP Authentication

After trial and error I found a configuration that worked for me. I have an IIS CA set up on my network. I figured it would be the trickiest to get working.

In this version(2.2.14) of Apache it is important to know the trusted global cert is a fairly new setting. Some blogs still referenced an older setting that is not valid with this version.
I took the default httpd.conf and added a url that I wanted protected with an LDAP authentication.

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

####Here are the pieces I added.

LDAPTrustedGlobalCert CA_BASE64 /opt/app/apache2/conf/certs/LDAP/iis-root.cer

LDAPVerifyServerCert On #If you use this set to OFF it is not valid for production environments.

AuthType basic
AuthName "LDAP Protected"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=directory manager" #I also don't suggest you use this account!!
AuthLDAPbindPassword admin123
#AuthLDAPURL "ldap://,c=us?uid?sub?(objectClass=*)
AuthLDAPURL "ldaps://,c=us?uid?sub?(objectClass=*)
Require valid-user

###End of File

My notes are this. Make sure you use the LDAPVerifyServerCert set to On. Using this set to Off allows any certificate to be used and pretty much defeats the purpose of SSL. Although you may have encryption you won't know who you are talking with that set incorrectly.

I did not have any luck when I wanted to trust a single individual certificate. I tried pulling the LDAP server's certificate from a Sun LDAP Directory but Apache would never seem to trust an individual certificate no matter what setting I used.

I then changed the Sun LDAP Directory Server Certificate to use a certificate from a CA. That worked. It was even a Microsoft CA, Sun LDAP, and Apache using the OpenSSL libraries for connectivity.

No comments: