diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 48563905..08e97d6b 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -188,7 +188,8 @@ Have fun! Apache webserver (SSL recommended) with PHP module (PHP 5 - (>= 5.2.4) with ldap, gettext, xml and optional mcrypt) + (>= 5.2.4) with ldap, gettext, xml, openssl and optional + mcrypt) @@ -955,6 +956,39 @@ Have fun! + + SSL certificate + setup: + + By default, LAM uses the CA certificates that are preinstalled + on your system. This will work if you connect via SSL/TLS to an LDAP + server that uses a certificate signed by a well-known CA. In case you + use your own CA (e.g. company internal CA) you can import the CA + certificates here. + + Please note that this can affect other web applications on the + same server if they require different certificates. In case of any + problems please delete the uploaded certificates and use the system setup. + + You can either upload a DER/PEM formatted certificate file or + import the certificates directly from an LDAP server that is available + with LDAP+SSL (ldaps://). LAM will automatically override system + certificates if at least one certificate is uploaded/imported. + + The whole certificate list can be downloaded in PEM format. You + can also delete single certificates from the list. + + Please note that you might need to restart your webserver if you + do any changes to this configuration. + + + + + + + +
@@ -1000,6 +1034,14 @@ Have fun! If you would like to change the master configuration password then enter a new password here. + + + + + + + +
@@ -6766,23 +6808,46 @@ Run slapindex to rebuild the index. configuration profile. TLS can be activated with the "Activate TLS" option. - You will need to setup ldap.conf to trust your server certificate. - Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. - It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. - Specify the server CA certificate with the following option: + If your LDAP server uses a SSL certificate of a well-know + certificate authority (CA) then you probably need no changes. If you use + a custom CA in your company then there are two ways to setup the CA + certificates. - TLS_CACERT /etc/ldap/ca/myCA/cacert.pem +
+ Setup SSL certificates in LAM general settings - This needs to be the public part of the signing certificate - authority. See "man ldap.conf" for additional options. + This is much easier than system level setup and will only affect + LAM. There might be some cases where other web applications on the + same web server are influenced. - + See here for details. +
+ +
+ Setup SSL certificates on system level + + This will make the CA certificates available also to other + applications on your system (e.g. other web applications). + + You will need to setup ldap.conf to trust your server + certificate. Some installations use /etc/ldap.conf and some use + /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to + /etc/ldap/ldap.conf. Specify the server CA certificate with the + following option: + + TLS_CACERT /etc/ldap/ca/myCA/cacert.pem + + This needs to be the public part of the signing certificate + authority. See "man ldap.conf" for additional options. + + - You may also need to specify the CA certificate in your Apache - configuration by using the option "LDAPTrustedGlobalCert": + You may also need to specify the CA certificate in your Apache + configuration by using the option "LDAPTrustedGlobalCert": - LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem + LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem +
diff --git a/lam/docs/manual-sources/images/configGeneral1.png b/lam/docs/manual-sources/images/configGeneral1.png index bdba0f3c..4e3aa8e5 100644 Binary files a/lam/docs/manual-sources/images/configGeneral1.png and b/lam/docs/manual-sources/images/configGeneral1.png differ diff --git a/lam/docs/manual-sources/images/configGeneral2.png b/lam/docs/manual-sources/images/configGeneral2.png index 5812dff7..1de04938 100644 Binary files a/lam/docs/manual-sources/images/configGeneral2.png and b/lam/docs/manual-sources/images/configGeneral2.png differ diff --git a/lam/docs/manual-sources/images/configGeneral3.png b/lam/docs/manual-sources/images/configGeneral3.png index 4441b817..1bd01c4b 100644 Binary files a/lam/docs/manual-sources/images/configGeneral3.png and b/lam/docs/manual-sources/images/configGeneral3.png differ diff --git a/lam/docs/manual-sources/images/configGeneral4.png b/lam/docs/manual-sources/images/configGeneral4.png new file mode 100644 index 00000000..dae51824 Binary files /dev/null and b/lam/docs/manual-sources/images/configGeneral4.png differ diff --git a/lam/docs/manual-sources/images/configGeneral5.png b/lam/docs/manual-sources/images/configGeneral5.png new file mode 100644 index 00000000..762bd1cc Binary files /dev/null and b/lam/docs/manual-sources/images/configGeneral5.png differ diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php index 12ce9ce5..a073eb6f 100644 --- a/lam/templates/config/mainmanage.php +++ b/lam/templates/config/mainmanage.php @@ -263,7 +263,7 @@ $securityTable->addElement(new htmlOutputText(_('SSL certificates'))); $sslMethod = _('use system certificates'); $sslFileName = $cfg->getSSLCaCertTempFileName(); if ($sslFileName != null) { - $sslMethod = _('use custom CA certificate'); + $sslMethod = _('use custom CA certificates'); } $sslDelSaveGroup = new htmlGroup(); $sslDelSaveGroup->addElement(new htmlOutputText($sslMethod)); @@ -287,7 +287,7 @@ $sslButtonTable->colspan = 3; $sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert')); $sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload')); $sslUploadBtn->setIconClass('upButton'); -$sslUploadBtn->setTitle(_('Upload CA certificate')); +$sslUploadBtn->setTitle(_('Upload CA certificate in DER/PEM format.')); $sslButtonTable->addElement($sslUploadBtn, true); if (function_exists('stream_socket_client')) { $sslImportGroup = new htmlGroup();