Differences between version 28 and predecessor to the previous major change of ApacheNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 28 | Last edited on Thursday, February 9, 2006 12:46:42 pm | by JamieCurtis | Revert |
Older page: | version 27 | Last edited on Wednesday, December 21, 2005 7:49:59 pm | by LockwoodChilds | Revert |
@@ -183,12 +183,37 @@
</pre>
The solution is to swap the order so that apache_ssl_module comes first. (obscure!)
* Another possible cause is that SSLFakeBasicAuth option has been enabled when trying to use the standard basic auth i.e. "AuthType Basic" (this seems to have hit a number of debian users after the upgrade to sarge)
The solution is to turn off SSLFakeBasicAuth.
+
+!!!Getting Apache2 + mod_auth_ldap + ldap over SSL/TLS working
+
+* You should only do this if you have already got your webserver running through SSL/TLS, otherwise your LDAP details will go between the client and server in plaintext !
+* Make sure you have mod_ldap and mod_auth_ldap enabled (under debian use a2enmod)
+* You need to add the following two lines to your main apache2.conf to enable SSL:
+<verbatim>
+LDAPTrustedCA <CA CERT FILE>
+LDAPTrustedCAType BASE64_FILE
+</verbatim>
+This assumes that you have a CA cert that has signed your LDAP servers key. The documentation suggests that if mod_ldap is compiled against openldap, you may not require this to be the case, but you __must__ add some sort of CA cert to make mod_ldap enable SSL. BASE64_FILE indicates that the CA file is in the (default for openssl) PEM format.
+* Check that your main apache2 error log lists something like the following when it starts up:
+<verbatim>
+[notice] LDAP: Built with OpenLDAP LDAP SDK
+[notice] LDAP: SSL support available
+</verbatim>
+* Add your authentication configuration to your Location, Directory or .htaccess files
+<verbatim>
+<Location /path/to/auth/stuff>
+ AuthType Basic
+ AuthName "MyAuthArea"
+ AuthLDAPURL "ldaps://<HOST>/ou=People,<BASEDN>?uid"
+ Require valid-user
+</Location>
+</verbatim>
!!! See also
* NameVirtualHosting
* ModBackhand
* ApacheReverseProxy
* [SargeApache2Notes]