[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Communicate from php/apache to openLDAP over LDAPS



On 11/06/2010, at 4:04 AM, Howard Chu wrote:

> Jérémy ESCOLANO wrote:
>> I tried to put host="srvLDAP" but it still doesn't work
>> 
>> Actually the problem is configuring my APACHE server to make it considerate
>> theses certificate.
>> I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
>> where to have to put :
>> 
>> TLS_CACERT      ./ssl2/cacert.cer
>> TLS_REQCERT     demand
>> 
>> but how can we specify it on apache server ?
> 
> Ask on an Apache forum.
> 
> 
You are probably correct in that you should be asking on an Apache forum. But anyway, here is a copy of my working apache config


        LDAPTrustedClientCert CERT_BASE64 /usr/local/share/certs/cacert.pem
        LDAPTrustedClientCert CERT_DER /usr/local/share/certs/cacert.crt
        LDAPTrustedMode TLS

  <Directory /usr/local/www/nagios>
     Order deny,allow
     Deny from all
     Allow from all
        AllowOverride none
     php_flag engine on
     php_admin_value open_basedir /usr/local/www/nagios/:/var/spool/nagios/

######
#<LDAP>
######

        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPRemoteUserAttribute uid
        AuthLDAPURL ldap://ldap.chocolate.lan/ou=Users,dc=chocolate,dc=lan?uid?sub
        #Require ldap-user william
        AuthLDAPDereferenceAliases never
        AuthLDAPGroupAttribute memberUid
        Require group
        Require ldap-group cn=nagios,ou=Apache,ou=Nemo,ou=Group,dc=chocolate,dc=lan
        AuthType Basic
        AuthName "Nagios"

######
#</LDAP>
######

   </Directory>

Also, a useful tool is, it tells you the current state of the ldap cache on the server.

        <Location /server/cache-info>
                SetHandler ldap-status
        </Location>

This is currently setup for group based authentication. remember that your group memberUid needs to be the full DN of the user, rather than just the uid. Your certificates also need to be readable by the apache user, and you only need the cacert. 

> 
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/