Configuring Apache for SSL and LDAP authentication

tags: apache, ldap, ssl

Imagine you have a directory on your web server you want to protect so that people have to login to see the item in it. You don’t want to give them a different password to remember but use an existing username/password in an LDAP directory. You want to make sure that when they login that their username and password are sent encrypted across the network. Below are directions to do exactly what I describe. That is if you have an LDAP server.

The Head of Computer and Networking Systems originally wrote these directions (which are amazing and better than most of what I found on the web) when I wanted to password protect our internal blogs. I’ve updated them to be more generic and posted them because they are relevant if you want to set up LDAP authentication for MediaWiki. Note that steps f to i in the section “Configure LDAPs authentication for Directory access”

Set up SSL on Web Server

1. On the server where you want to perform SSL, Generate Server Private key (one time)
   1. Remove default keys
      cd /etc/apache2/
      rm ssl.key/server.key
      rm ssl.crt/server.crt
   2. Generate new private key
      /usr/bin/openssl genrsa 1024 > /etc/apache2/ssl.key/server.key
   3. Set secure permissions on key file
      chmod go-rwx /etc/apache2/ssl.key/server.key
2. Create self-signed certificate
   1. Create certificate
      
      /usr/bin/openssl req -new -key /etc/apache2/ssl.key/server.key -x509 -days 365 -out
      /etc/apache2/ssl.crt/server.crt
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      
      What you are about to enter is what is called a Distinguished Name or a DN.
      
      There are quite a few fields but you can leave some blank
      
      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      —–
      
      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]: State
      Locality Name (eg, city) []: City
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: Some Organization
      Organizational Unit Name (eg, section) []: Some Unit
      Common Name (eg, YOUR name) []: server.webaddress.com
      Email Address []: email@address.com
3. Configure apache for SSL
   1. Tell apache SSL port
      1. Edit /etc/apache2/listen.conf and remove # before:
         Listen 443
      2. Copy virtual host template file (must end in .conf)
         
         cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
      3. Change the following lines in /etc/apache2/vhosts.d/vhost-ssl.conf
         #<IfDefine SSL>
         
         #<IfDefine !NOSSL>
         <VirtualHost server.webaddress.com:443>
         DocumentRoot “/srv/www/htdocs”
         
         ServerName server.webaddress.com:443
         
         ServerAdmin email@address.com
         
         ErrorLog /var/log/apache2/error_443_log
         
         TransferLog /var/log/apache2/access_443_log
         #</IfDefine>
         
         #</IfDefine>
   2. Restart Apache with new configuration
      
      Apache2ctl stop
      Apache2ctl start
   3. Use Netstat to check to see if httpd is listening on port 443
      netstat -anp |more
   4. Open port on Firewall for 443

1. Test in web browser https://server.webaddress.com

Configure LDAPs authentication for Directory access

1. Import certificate for ldap server into the web server where you want to authenticate via LDAP
   1. Export server certificate from your LDAP server
   2. Open exported certificate file and copy text
   3. Create file /etc/apache2/server-name.crt
   4. Paste certificate text into file
   5. Edit /etc/apache2/default-server.conf and add following lines:
      LDAPTrustedCAType    BASE64_FILE
      LDAP
      TrustedCA                       /etc/apache2/server-name.crt
   6. Edit /etc/apache2/vhosts.d/vhost-ssl.conf
      1. Add lines following between <VirtualHost> and </VirtualHost>
         <Directory /srv/www/htdocs/directory_you_want_to_protect_with_ldap>
         
         AuthType Basic
         AuthName “LDAPs Login”
         
         AuthLDAPEnabled on
         AuthLDAPURL “ldaps://ldapserver.domain.edu:ldapport#/OU=usergroup,DC=subdomain,DC=mydomain,DC=edu?sAMAccountName?sub?(objectClass=*)”
         
         AuthLDAPBindDN “CN=bindaccount,CN=usergroup,DC=subdomain,DC=mydomain,DC=edu”
         
         AuthLDAPBindPassword (bindaccountpassword)
         AuthLDAPAuthoritative off
         require valid-user
         AllowOverride None
         Order deny,allow
         Deny from all
         Allow from IP range you want to allow access from
         </Directory>
   7. Edit /etc/apache2/sysconfig.d/loadmodule.conf and add following
      lines:
      LoadModule ldap_module /usr/lib/apache2/mod_ldap.so
      
      LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so
   8. Restart Apache with new configuration
      Apache2ctl stop
      Apache2ctl start
   9. Test in web browser – https://server.webaddress.com/directory_you_want_to_protect_with_ldap