Apache2 + SSL + LDAP Authentication HOWTO

Apache2 + SSL + LDAP Authentication HOWTO

ITS provides a central LDAP server that allows server operators to authenticate users using their Case network ID and password. Talking to the LDAP server using clear text (normal) communication and doing the authentication is relatively easy. However, using this method, users' network usernames and passwords are transmitted over clear text and are susceptible to interception (very unlikely on Case's internal switched network, but possible nonetheless). This document will explain how to set up your web server so it communicates to the LDAP using encryption.

Using SSL to talk to the LDAP is a painful process. LDAP and SSL are very picky when it comes to working together. I learned this the hard way.

1. Compiling and Installing the Programs

1. Download Sources
   
   
   
   • OpenSSL
   
   
   • OpenLDAP
   
   
   • Apache 2
   
   
   
   
2. Install OpenSSL
   
   
   
   1. tar xvzf openssl-0.9.7e.tar.gz
   
   
   2. cd openssl-0.9.7e
   
   
   3. ./config --prefix=/usr/local/openssl shared
   
   
   4. make
   
   
   5. make install
   
   
   6. ln -s /usr/local/openssl/bin/openssl /usr/local/bin/openssl
   
   
   
   
3. Install OpenLDAP
   
   
   
   1. tar xvzf openldap-stable-20050125.tgz
   
   
   2. cd openldap-2.2.23
   
   
   3. export CPPFLAGS="-I/usr/local/openssl/include" LDFLAGS="-L/usr/local/openssl/lib"; \
      ./configure \
      --prefix=/usr/local/ \
      --sysconfdir=/etc/openldap \
      --enable-ipv6 \
      --with-tls \
      --disable-slurpd \
      --disable-slapd \
      --with-openssl=/usr/local/openssl
   
   
   4. make depend
   
   
   5. make
   
   
   6. make install
   
   
   
   
4. Install Apache 2
   
   
   
   1. tar xvzf httpd-2.0.53.tar.gz
   
   
   2. cd httpd-2.0.53
   
   
   3. ./configure \
      --prefix=/usr/local/apache2 \
      --enable-so \
      --enable-ssl \
      --enable-mods-shared=all \
      --with-ssl=/usr/local/openssl \
      --enable-ldap \
      --enable-auth_ldap \
      --with-ldap
   
   
   4. make
   
   
   5. make install
   
   
   
   

2. Obtain Case LDAP Certificate




1. link


2. Copy the entrust-chain-cert.pem file to /usr/local/apache2/conf/case.pem



3. Obtain an LDAP DN lookup user


1. E-mail [email protected] and ask for an account to do this.



4. Configure Apache to Use LDAP Authentication




1. Add the following anywhere in your httpd.conf file:
   LDAPTrustedCAType BASE64_FILE
   LDAPTrustedCA /usr/local/apache2/conf/case.pem
   
2. For every <Location> or <Directory> you want protected by LDAP, add the following:
   
   AuthType Basic
   AuthName "Case Network ID"
   AuthLDAPURL "ldaps://ldap-replica1.cwru.edu/ou=People,o=cwru.edu,o=isp?uid"
   AuthLDAPBindDN "DN of special user given to you by ITS"
   AuthLDAPBindPassword "Password of the special user given to you"
   require valid-user
   
   



5. Pray




1. Start up Apache
   
   
   
   • Visit http://127.0.0.1 to see if the server started
   
   
   • Make sure that you find:
     [notice] LDAP: Built with OpenLDAP LDAP SDK
     [notice] LDAP: SSL support available
     in the output of /usr/local/apache2/logs/error_log
   
   
   
   



6. Post Configuration
You will obviously want to set up Apache to use SSL between the client and the server. Doing this is beyond the scope of this document. Once this is done, it is a good idea to make sure all protected locations on your site are over SSL. A good way to do this is with mod_rewrite. The reason for this is that browsers resend the username and password with every page request.

Another good idea is to set up LDAP query caching. This will speed up page requests because once a client's authenticity has been established, the result of the query will be stored on the server, eliminating any need to connect to the LDAP server. View the mod_ldap documentation for more information. Additionally, you may want to see the mod_auth_ldap documentation for even more configuration options.

Good Luck!