Configuring Apache for SSL and LDAP authentication

tags: apache, ldap, ssl

Imagine you have a directory on your web server you want to protect so that people have to login to see the item in it. You don’t want to give them a different password to remember but use an existing username/password in an LDAP directory. You want to make sure that when they login that their username and password are sent encrypted across the network. Below are directions to do exactly what I describe. That is if you have an LDAP server.

The Head of Computer and Networking Systems originally wrote these directions (which are amazing and better than most of what I found on the web) when I wanted to password protect our internal blogs. I’ve updated them to be more generic and posted them because they are relevant if you want to set up LDAP authentication for MediaWiki. Note that steps f to i in the section “Configure LDAPs authentication for Directory access”

Set up SSL on Web Server

On the server where you want to perform SSL, Generate Server Private key (one time)
1. Remove default keys
  cd /etc/apache2/
  rm ssl.key/server.key
  rm ssl.crt/server.crt
2. Generate new private key
  /usr/bin/openssl genrsa 1024 > /etc/apache2/ssl.key/server.key
3. Set secure permissions on key file
  chmod go-rwx /etc/apache2/ssl.key/server.key
Create self-signed certificate
1. Create certificate
  
  /usr/bin/openssl req -new -key /etc/apache2/ssl.key/server.key -x509 -days 365 -out
  /etc/apache2/ssl.crt/server.crt
  
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  
  What you are about to enter is what is called a Distinguished Name or a DN.
  
  There are quite a few fields but you can leave some blank
  
  For some fields there will be a default value,
  If you enter ‘.’, the field will be left blank.
  —–
  
  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]: State
  Locality Name (eg, city) []: City
  Organization Name (eg, company) [Internet Widgits Pty Ltd]: Some Organization
  Organizational Unit Name (eg, section) []: Some Unit
  Common Name (eg, YOUR name) []: server.webaddress.com
  Email Address []: email@address.com
Configure apache for SSL
1. Tell apache SSL port
  1. Edit /etc/apache2/listen.conf and remove # before:
    Listen 443
  2. Copy virtual host template file (must end in .conf)
    
    cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
  3. Change the following lines in /etc/apache2/vhosts.d/vhost-ssl.conf
    #<IfDefine SSL>
    
    #<IfDefine !NOSSL>
    
    <VirtualHost server.webaddress.com:443>
    
    DocumentRoot “/srv/www/htdocs”
    
    ServerName server.webaddress.com:443
    
    ServerAdmin email@address.com
    
    ErrorLog /var/log/apache2/error_443_log
    
    TransferLog /var/log/apache2/access_443_log
    #</IfDefine>
    
    #</IfDefine>
2. Restart Apache with new configuration
  
  Apache2ctl stop
  Apache2ctl start
3. Use Netstat to check to see if httpd is listening on port 443
  netstat -anp |more
4. Open port on Firewall for 443

Test in web browser https://server.webaddress.com

Configure LDAPs authentication for Directory access

Import certificate for ldap server into the web server where you want to authenticate via LDAP
1. Export server certificate from your LDAP server
2. Open exported certificate file and copy text
3. Create file /etc/apache2/server-name.crt
4. Paste certificate text into file
5. Edit /etc/apache2/default-server.conf and add following lines:
  LDAPTrustedCAType BASE64_FILE
  LDAP
  TrustedCA /etc/apache2/server-name.crt
6. Edit /etc/apache2/vhosts.d/vhost-ssl.conf
  1. Add lines following between <VirtualHost> and </VirtualHost>
    <Directory /srv/www/htdocs/directory_you_want_to_protect_with_ldap>
    
    AuthType Basic
    AuthName “LDAPs Login”
    
    AuthLDAPEnabled on
    
    AuthLDAPURL “ldaps://ldapserver.domain.edu:ldapport#/OU=usergroup,DC=subdomain,DC=mydomain,DC=edu?sAMAccountName?sub?(objectClass=*)”
    
    AuthLDAPBindDN “CN=bindaccount,CN=usergroup,DC=subdomain,DC=mydomain,DC=edu”
    
    AuthLDAPBindPassword (bindaccountpassword)
    AuthLDAPAuthoritative off
    require valid-user
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from IP range you want to allow access from
    </Directory>
7. Edit /etc/apache2/sysconfig.d/loadmodule.conf and add following
  lines:
  
  LoadModule ldap_module /usr/lib/apache2/mod_ldap.so
  
  LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so
8. Restart Apache with new configuration
  Apache2ctl stop
  Apache2ctl start
9. Test in web browser – https://server.webaddress.com/directory_you_want_to_protect_with_ldap

Xác thực ldap: Cần có một server đã được thiết lập xác thực ldap - vd.
https://code.google.com/p/openssl-for-windows/downloads/list
serverxacthuldap.compnay.com

1. Chạy trên Xampp
1.1. cấu hình
mở file ở thư mục cài đặt xampp
tìm tới vd: C:\xampp\php\php.ini
;extension=php_ldap.dll
bỏ comment màu đỏ đi ->extension=php_ldap.dll
1.2. Code thực thi
<html>
<head></head>
<body>
<?php

// using ldap bind
$ldaprdn = 'username@company.com'; // ldap rdn or dn
$ldappass = '123456'; // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldap://serverxacthuldap.compnay.com") // Địa chỉ domain hoặc server dùng để xác thực
or die("Could not connect to LDAP server.");

if ($ldapconn) {

// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}

}

?>
</body>
</html>

raising values

Thứ Sáu, 17 tháng 10, 2014

Qui đổi thời gian từ một tuần cụ thể trong một năm ra ngày bắt đầu của tuần và ngày kết thúc của tuần trong năm đó

Thứ Năm, 9 tháng 10, 2014

Thực thi một thủ tục trên SQL server 2008 - execute procedure SQL server

Thứ Tư, 8 tháng 10, 2014

Tính số ngày giữa 2 ngày tháng cho trước C#

Thứ Bảy, 4 tháng 10, 2014

Tính tổng số phút tới thời điểm hiện của ngày hiện tại trong tuần C#

Thứ Năm, 2 tháng 10, 2014