1

I am trying to configure ldaps authentication on a CentOS 6.x server running Apache 2.2. I have successfully been using ldap authentication for a couple years, but need to get it to work over SSL. I do have ldap_module and authnz_ldap_module loaded. My issue is that no matter where in the stack I try to include any directives like LDAPTrustedClientCert or LDAPTrustedGlobalCert I get the 'directive not allowed here' messages. I have tried in the root configuration, I have tried within a block within the vhost configuration, I have tried allowing all overrides and putting it within an .htaccess file... all to no avail.

I'd welcome any suggestions.

verdonv
  • 11
  • 3

3 Answers3

2

If for some reason you need to supply a client certificate when making an ldap connection, then you should supply these directives in the same place as your AuthType directive.

    <Location /secure-ldap-basic>
            AuthType basic
            AuthName "LDAP signin required"
            AuthBasicProvider ldap
            AuthLDAPUrl ldaps://ldap.example.com/ SSL
            LDAPTrustedClientCert KEY_BASE64 /etc/pki/tls/private/www.example.com.key
            LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/www.example.com.cert
            Require valid-user
    </Location>
    <Location /secure-ldap-form>
            AuthType form
            AuthName realm
            AuthFormProvider ldap
            AuthLDAPUrl ldap://ldap.example.com/ STARTTLS
            LDAPTrustedClientCert KEY_BASE64 /etc/pki/tls/private/www.example.com.key
            LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/www.example.com.cert
            Require valid-user
            AuthFormLoginRequiredLocation /login?%{REQUEST_URI}

            Session On
            SessionCookieName session path=/
            SessionCryptoPassphrase <passphrase>
     </Location>
84104
  • 12,698
  • 6
  • 43
  • 75
  • Thank you for this. This is the sort of example I have been trying. When I put it in the .htaccess file, I get " – verdonv Apr 17 '18 at 19:21
  • What I ended up doing was using the directive "LDAPVerifyServerCert Off". Even though the documentation led me to believe that I had to put that within a location or directory block, it produced error until I moved it out of those and just put it up near the top of my httpd.conf file. That seems to have worked. – verdonv Apr 19 '18 at 15:42
0

LDAPTrustedClientCert and LDAPTrustedGlobalCert are for client certificates. As such, they aren't needed generally needed to secure LDAP communication from a webserver.

This directive is secure in much the same way that most https connections are secure:

AuthLDAPUrl ldaps://ldap.example.com/ SSL
84104
  • 12,698
  • 6
  • 43
  • 75
  • Thank you. I had tried that initially, but it is just resulting in 500 errors, that I can't find logged anywhere. – verdonv Apr 17 '18 at 18:28
-1

According to the apache 2.2 documentation:

https://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedclientcert

that should go within a directory setting.

<directory /the/directory/of/stuff>
    LDAPTrustedClientCert type directory-path/filename/nickname [password]
</directory>

Also, since you are dealing with certs, you should be in a SSL virtualhost.

JohnA
  • 556
  • 3
  • 12
  • 1
    The last sentence is incorrect; it's entirely possible to use a client certificate for LDAP authentication from a non-SSL virtualhost. (Though it's generally ill-advised to send passwords in cleartext, so SSL is certainly recommended.) – Jenny D Apr 14 '18 at 07:50
  • You are correct. My choice of wording was poor and I've edited. Thank you. – JohnA Apr 15 '18 at 19:44