Configuring Apache for SSL and LDAP authentication

2006 April 20
tags: , ,
by Karen

Imagine you have a directory on your web server you want to protect so that people have to login to see the item in it. You don’t want to give them a different password to remember but use an existing username/password in an LDAP directory. You want to make sure that when they login that their username and password are sent encrypted across the network. Below are directions to do exactly what I describe. That is if you have an LDAP server.

The Head of Computer and Networking Systems originally wrote these directions (which are amazing and better than most of what I found on the web) when I wanted to password protect our internal blogs. I’ve updated them to be more generic and posted them because they are relevant if you want to set up LDAP authentication for MediaWiki. Note that steps f to i in the section “Configure LDAPs authentication for Directory access”

Set up SSL on Web Server

  1. On the server where you want to perform SSL, Generate Server Private key (one time)
    1. Remove default keys
      cd /etc/apache2/
      rm ssl.key/server.key
      rm ssl.crt/server.crt
    2. Generate new private key
      /usr/bin/openssl genrsa 1024 > /etc/apache2/ssl.key/server.key
    3. Set secure permissions on key file
      chmod go-rwx /etc/apache2/ssl.key/server.key
  2. Create self-signed certificate
    1. Create certificate

      /usr/bin/openssl req -new -key /etc/apache2/ssl.key/server.key -x509 -days 365 -out
      /etc/apache2/ssl.crt/server.crt

      You are about to be asked to enter information that will be incorporated
      into your certificate request.

      What you are about to enter is what is called a Distinguished Name or a DN.

      There are quite a few fields but you can leave some blank

      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      —–

      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]: State
      Locality Name (eg, city) []: City
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: Some Organization
      Organizational Unit Name (eg, section) []: Some Unit
      Common Name (eg, YOUR name) []: server.webaddress.com
      Email Address []: email@address.com

  3. Configure apache for SSL
    1. Tell apache SSL port
      1. Edit /etc/apache2/listen.conf and remove # before:
        Listen 443
      2. Copy virtual host template file (must end in .conf)

        cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
      3. Change the following lines in /etc/apache2/vhosts.d/vhost-ssl.conf

        #<IfDefine SSL>

        #<IfDefine !NOSSL>

        <VirtualHost server.webaddress.com:443>

        DocumentRoot “/srv/www/htdocs”

        ServerName server.webaddress.com:443

        ServerAdmin email@address.com

        ErrorLog /var/log/apache2/error_443_log

        TransferLog /var/log/apache2/access_443_log
        #</IfDefine>

        #</IfDefine>

    2. Restart Apache with new configuration

      Apache2ctl stop
      Apache2ctl start
    3. Use Netstat to check to see if httpd is listening on port 443
      netstat -anp |more
    4. Open port on Firewall for 443
  1. Test in web browser https://server.webaddress.com

Configure LDAPs authentication for Directory access

  1. Import certificate for ldap server into the web server where you want to authenticate via LDAP

    1. Export server certificate from your LDAP server
    2. Open exported certificate file and copy text
    3. Create file /etc/apache2/server-name.crt
    4. Paste certificate text into file
    5. Edit /etc/apache2/default-server.conf and add following lines:

      LDAPTrustedCAType    BASE64_FILE
      LDAP
      TrustedCA                       /etc/apache2/server-name.crt

    6. Edit /etc/apache2/vhosts.d/vhost-ssl.conf
      1. Add lines following between <VirtualHost> and </VirtualHost>
        <Directory /srv/www/htdocs/directory_you_want_to_protect_with_ldap>

        AuthType Basic
        AuthName “LDAPs Login”

        AuthLDAPEnabled on

        AuthLDAPURL “ldaps://ldapserver.domain.edu:ldapport#/OU=usergroup,DC=subdomain,DC=mydomain,DC=edu?sAMAccountName?sub?(objectClass=*)”

        AuthLDAPBindDN “CN=bindaccount,CN=usergroup,DC=subdomain,DC=mydomain,DC=edu”

        AuthLDAPBindPassword (bindaccountpassword)
        AuthLDAPAuthoritative off
        require valid-user
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from IP range you want to allow access from
        </Directory>

    7. Edit /etc/apache2/sysconfig.d/loadmodule.conf and add following
      lines:

      LoadModule ldap_module /usr/lib/apache2/mod_ldap.so

      LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so

    8. Restart Apache with new configuration

      Apache2ctl stop
      Apache2ctl start

    9. Test in web browser – https://server.webaddress.com/directory_you_want_to_protect_with_ldap

from → Tech Configuration Tidbits

One Response leave one →
  1. 2011 May 14
    Rishi permalink

    http://reddragon-linux.blogspot.com/2011/05/linux-apache-directories-with-ldap.html

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS