allow to specify SSL CA certificates in LAM main configuration
|
@ -188,7 +188,8 @@ Have fun!
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Apache webserver (SSL recommended) with PHP module (PHP 5
|
<para>Apache webserver (SSL recommended) with PHP module (PHP 5
|
||||||
(>= 5.2.4) with ldap, gettext, xml and optional mcrypt)</para>
|
(>= 5.2.4) with ldap, gettext, xml, openssl and optional
|
||||||
|
mcrypt)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -955,6 +956,39 @@ Have fun!
|
||||||
</imageobject>
|
</imageobject>
|
||||||
</mediaobject>
|
</mediaobject>
|
||||||
</screenshot>
|
</screenshot>
|
||||||
|
|
||||||
|
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
|
||||||
|
setup:</emphasis></para>
|
||||||
|
|
||||||
|
<para>By default, LAM uses the CA certificates that are preinstalled
|
||||||
|
on your system. This will work if you connect via SSL/TLS to an LDAP
|
||||||
|
server that uses a certificate signed by a well-known CA. In case you
|
||||||
|
use your own CA (e.g. company internal CA) you can import the CA
|
||||||
|
certificates here.</para>
|
||||||
|
|
||||||
|
<para>Please note that this can affect other web applications on the
|
||||||
|
same server if they require different certificates. In case of any
|
||||||
|
problems please delete the uploaded certificates and use the <link
|
||||||
|
linkend="ssl_certSystem">system setup</link>.</para>
|
||||||
|
|
||||||
|
<para>You can either upload a DER/PEM formatted certificate file or
|
||||||
|
import the certificates directly from an LDAP server that is available
|
||||||
|
with LDAP+SSL (ldaps://). LAM will automatically override system
|
||||||
|
certificates if at least one certificate is uploaded/imported.</para>
|
||||||
|
|
||||||
|
<para>The whole certificate list can be downloaded in PEM format. You
|
||||||
|
can also delete single certificates from the list.</para>
|
||||||
|
|
||||||
|
<para>Please note that you might need to restart your webserver if you
|
||||||
|
do any changes to this configuration.</para>
|
||||||
|
|
||||||
|
<screenshot>
|
||||||
|
<mediaobject>
|
||||||
|
<imageobject>
|
||||||
|
<imagedata fileref="images/configGeneral4.png" />
|
||||||
|
</imageobject>
|
||||||
|
</mediaobject>
|
||||||
|
</screenshot>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
@ -1000,6 +1034,14 @@ Have fun!
|
||||||
|
|
||||||
<para>If you would like to change the master configuration password
|
<para>If you would like to change the master configuration password
|
||||||
then enter a new password here.</para>
|
then enter a new password here.</para>
|
||||||
|
|
||||||
|
<screenshot>
|
||||||
|
<mediaobject>
|
||||||
|
<imageobject>
|
||||||
|
<imagedata fileref="images/configGeneral5.png" />
|
||||||
|
</imageobject>
|
||||||
|
</mediaobject>
|
||||||
|
</screenshot>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
@ -6766,10 +6808,32 @@ Run slapindex to rebuild the index.
|
||||||
configuration profile. TLS can be activated with the "Activate TLS"
|
configuration profile. TLS can be activated with the "Activate TLS"
|
||||||
option.</para>
|
option.</para>
|
||||||
|
|
||||||
<para>You will need to setup ldap.conf to trust your server certificate.
|
<para>If your LDAP server uses a SSL certificate of a well-know
|
||||||
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf.
|
certificate authority (CA) then you probably need no changes. If you use
|
||||||
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf.
|
a custom CA in your company then there are two ways to setup the CA
|
||||||
Specify the server CA certificate with the following option:</para>
|
certificates.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Setup SSL certificates in LAM general settings</title>
|
||||||
|
|
||||||
|
<para>This is much easier than system level setup and will only affect
|
||||||
|
LAM. There might be some cases where other web applications on the
|
||||||
|
same web server are influenced.</para>
|
||||||
|
|
||||||
|
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section id="ssl_certSystem">
|
||||||
|
<title>Setup SSL certificates on system level</title>
|
||||||
|
|
||||||
|
<para>This will make the CA certificates available also to other
|
||||||
|
applications on your system (e.g. other web applications).</para>
|
||||||
|
|
||||||
|
<para>You will need to setup ldap.conf to trust your server
|
||||||
|
certificate. Some installations use /etc/ldap.conf and some use
|
||||||
|
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
|
||||||
|
/etc/ldap/ldap.conf. Specify the server CA certificate with the
|
||||||
|
following option:</para>
|
||||||
|
|
||||||
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
||||||
|
|
||||||
|
@ -6784,6 +6848,7 @@ Run slapindex to rebuild the index.
|
||||||
|
|
||||||
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
|
||||||
</section>
|
</section>
|
||||||
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Chrooted servers</title>
|
<title>Chrooted servers</title>
|
||||||
|
|
Before Width: | Height: | Size: 7.2 KiB After Width: | Height: | Size: 15 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 9.6 KiB After Width: | Height: | Size: 9.9 KiB |
After Width: | Height: | Size: 18 KiB |
After Width: | Height: | Size: 7.0 KiB |
|
@ -263,7 +263,7 @@ $securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
||||||
$sslMethod = _('use system certificates');
|
$sslMethod = _('use system certificates');
|
||||||
$sslFileName = $cfg->getSSLCaCertTempFileName();
|
$sslFileName = $cfg->getSSLCaCertTempFileName();
|
||||||
if ($sslFileName != null) {
|
if ($sslFileName != null) {
|
||||||
$sslMethod = _('use custom CA certificate');
|
$sslMethod = _('use custom CA certificates');
|
||||||
}
|
}
|
||||||
$sslDelSaveGroup = new htmlGroup();
|
$sslDelSaveGroup = new htmlGroup();
|
||||||
$sslDelSaveGroup->addElement(new htmlOutputText($sslMethod));
|
$sslDelSaveGroup->addElement(new htmlOutputText($sslMethod));
|
||||||
|
@ -287,7 +287,7 @@ $sslButtonTable->colspan = 3;
|
||||||
$sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert'));
|
$sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert'));
|
||||||
$sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload'));
|
$sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload'));
|
||||||
$sslUploadBtn->setIconClass('upButton');
|
$sslUploadBtn->setIconClass('upButton');
|
||||||
$sslUploadBtn->setTitle(_('Upload CA certificate'));
|
$sslUploadBtn->setTitle(_('Upload CA certificate in DER/PEM format.'));
|
||||||
$sslButtonTable->addElement($sslUploadBtn, true);
|
$sslButtonTable->addElement($sslUploadBtn, true);
|
||||||
if (function_exists('stream_socket_client')) {
|
if (function_exists('stream_socket_client')) {
|
||||||
$sslImportGroup = new htmlGroup();
|
$sslImportGroup = new htmlGroup();
|
||||||
|
|