Penguin
Recent Changes

Differences between version 28 and predecessor to the previous major change of ApacheNotes.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 28 Last edited on Thursday, February 9, 2006 12:46:42 pm by JamieCurtis Revert
Older page: version 27 Last edited on Wednesday, December 21, 2005 7:49:59 pm by LockwoodChilds Revert
@@ -183,12 +183,37 @@
 </pre> 
 The solution is to swap the order so that apache_ssl_module comes first. (obscure!) 
 * Another possible cause is that SSLFakeBasicAuth option has been enabled when trying to use the standard basic auth i.e. "AuthType Basic" (this seems to have hit a number of debian users after the upgrade to sarge) 
 The solution is to turn off SSLFakeBasicAuth. 
+  
+!!!Getting Apache2 + mod_auth_ldap + ldap over SSL/TLS working  
+  
+* You should only do this if you have already got your webserver running through SSL/TLS, otherwise your LDAP details will go between the client and server in plaintext !  
+* Make sure you have mod_ldap and mod_auth_ldap enabled (under debian use a2enmod)  
+* You need to add the following two lines to your main apache2.conf to enable SSL:  
+<verbatim>  
+LDAPTrustedCA <CA CERT FILE>  
+LDAPTrustedCAType BASE64_FILE  
+</verbatim>  
+This assumes that you have a CA cert that has signed your LDAP servers key. The documentation suggests that if mod_ldap is compiled against openldap, you may not require this to be the case, but you __must__ add some sort of CA cert to make mod_ldap enable SSL. BASE64_FILE indicates that the CA file is in the (default for openssl) PEM format.  
+* Check that your main apache2 error log lists something like the following when it starts up:  
+<verbatim>  
+[notice] LDAP: Built with OpenLDAP LDAP SDK  
+[notice] LDAP: SSL support available  
+</verbatim>  
+* Add your authentication configuration to your Location, Directory or .htaccess files  
+<verbatim>  
+<Location /path/to/auth/stuff>  
+ AuthType Basic  
+ AuthName "MyAuthArea"  
+ AuthLDAPURL "ldaps://<HOST>/ou=People,<BASEDN>?uid"  
+ Require valid-user  
+</Location>  
+</verbatim>  
  
  
 !!! See also 
  
 * NameVirtualHosting 
 * ModBackhand 
 * ApacheReverseProxy 
 * [SargeApache2Notes]