SSL

Authentication Users Password

Presentation

LL::NG uses Apache SSL module, like any other Apache authentication module, with extra features:

  • Choice of any certificate attribute as user main login
  • Allow no certificate to chain with other authentication methods

Configuration

Enable SSL in Apache

You have to install mod_ssl for Apache.

For CentOS/RHEL:

yum install mod_ssl

In Debian/Ubuntu mod_ssl is already shipped in apache2.2-common package.

For CentOS/RHEL, We advice to disable the default SSL virtual host configured in /etc/httpd/conf.d/ssl.conf.

Apache SSL global configuration

You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/certs/ow2.cert
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert

Put your own files instead of ow2.cert, ow2.key, ow2-ca.cert:

  • SSLCertificateFile: Server certificate
  • SSLCertificateKeyFile: Server private key
  • SSLCACertificateFile: CA certificate to validate client certificates

If you specify port in virtual host, then declare SSL port:

NameVirtualHost *:80
NameVirtualHost *:443

Apache portal SSL configuration

Edit the portal virtual host to enable SSL double authentication:

SSLEngine On
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN

All SSL options are documented in Apache mod_ssl page.

Here are the main options used by LL::NG:

  • SSLVerifyClient: set to optional to allow user with a bad certificate to access to LL::NG portal page (to display error or use another authentication method)
  • SSLOptions: set to +StdEnvVars to get certificate fields in environment variables
  • SSLUserName (optional): certificate field that will be used to identify user in LL::NG portal virtual host

Configuration of LemonLDAP::NG

In Manager, go in General Parameters > Authentication modules and choose SSL for authentication.

You can then choose any other module for users and password.

Then, go in SSL parameters:

  • Authentication level: authentication level for this module
  • Extracted certificate field: field of the certificate affected to $user internal variable
  • LDAP attribute used in filter: attribute in LDAP directory to use in mapping
  • SSL Required: if true, do not allow other authentication method if SSL certificate authentication fails (false by default).

LDAP attribute used in filter is not required if you do not use LDAP users database. In this case, the extracted certificate field value will be used to match the user.