From: Erik Abele
To use TLS, simply set the AuthLDAPStartTLS
to on.
- Nothing else needs to be done (other than ensure that your LDAP
- server is configured for TLS).
To use TLS, see the mod_ldap
directives LDAPTrustedCA
and LDAPTrustedCAType
.
If mod_auth_ldap
is linked against the
- Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
- unless that server has a certificate signed by a known Certificate
- Authority. As part of the configuration
- mod_auth_ldap
needs to be told where it can find
- a database containing the known CAs. This database is in the same
- format as Netscape Communicator's cert7.db
- database. The easiest way to get this file is to start up a fresh
- copy of Netscape, and grab the resulting
- $HOME/.netscape/cert7.db
file.
To use SSL, see the mod_ldap
directives LDAPTrustedCA
and LDAPTrustedCAType
.
To specify a secure LDAP server, use ldaps:// in the
AuthLDAPURL
@@ -759,23 +748,6 @@ environment variable
the username that was passed by the client. It is turned off by
default.
Description: | Use a secure TLS connection to the LDAP server |
---|---|
Syntax: | AuthLDAPStartTLS on|off |
Default: | AuthLDAPStartTLS off |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | Experimental |
Module: | mod_auth_ldap |
If this directive is set to on
,
- mod_auth_ldap
will start a secure TLS session
- after connecting to the LDAP server. This requires your LDAP
- server to support TLS.
--with-ldap
flag to the ./configure
script when building
Apache.
+
+ SSL support requires that mod_ldap
be linked
+ with one of the following LDAP SDKs:
+ OpenLDAP SDK (both 1.x and 2.x),
+ Novell LDAP SDK or the
+ iPlanet(Netscape) SDK.
httpd
instance processes the request.
+The ability to create an SSL connections to an LDAP server
+ is defined by the directives
+ LDAPTrustedCA
and
+ LDAPTrustedCAType
. These directives specify the certificate
+ file or database and the certificate type. Whenever the LDAP url
+ includes ldaps://, mod_ldap
will establish
+ a secure connection to the LDAP server.
+ # Establish an SSL LDAP connection. Requires that
+ # mod_ldap and mod_auth_ldap be loaded. Change the
+ # "yourdomain.example.com" to match your domain.
+
+ LDAPTrustedCA /certs/certfile.der
+ LDAPTrustedCAType DER_FILE
+
+ <Location /ldap-status>
+
+ SetHandler ldap-status
+ Order deny,allow
+ Deny from all
+ Allow from yourdomain.example.com
+ AuthLDAPEnabled on
+ AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one
+ AuthLDAPAuthoritative on
+ require valid-user
+
+ </Location>
+
If mod_ldap
is linked against the
+ Netscape/iPlanet LDAP SDK, it will not talk to any SSL server
+ unless that server has a certificate signed by a known Certificate
+ Authority. As part of the configuration
+ mod_ldap
needs to be told where it can find
+ a database containing the known CAs. This database is in the same
+ format as Netscape Communicator's cert7.db
+ database. The easiest way to get this file is to start up a fresh
+ copy of Netscape, and grab the resulting
+ $HOME/.netscape/cert7.db
file.
Description: | Directory containing certificates for SSL support |
---|---|
Syntax: | LDAPCertDBPath directory-path |
Context: | server config |
Status: | Experimental |
Module: | mod_ldap |
This directive is only valid if Apache has been linked - against the Netscape/iPlanet Directory SDK.
- -It specifies in which directory mod_ldap
- should look for the certificate authorities database for SSL
- support. There should be a file named cert7.db
in that
- directory.
Specifies the number of bytes to specify for the shared memory cache. The default is 100kb.
+Description: | Sets the file containing the trusted Certificate Authority certificate or database |
---|---|
Syntax: | LDAPTrustedCA directory-path/filename |
Context: | server config |
Status: | Experimental |
Module: | mod_ldap |
It specifies the directory path and file name of the trusted CA
+ mod_ldap
should use when establishing an SSL
+ connection to an LDAP server. If using the Netscape/iPlanet Directory
+ SDK, the file name should be cert7.db
.
Description: | Specifies the type of the Certificate Authority file |
---|---|
Syntax: | LDAPTrustedCAType type |
Context: | server config |
Status: | Experimental |
Module: | mod_ldap |
The following types are supported:
+ DER_FILE - file in binary DER format
+ BASE64_FILE - file in Base64 format
+ CERT7_DB_PATH - Netscape certificate database file ")