allow to specify SSL CA certificates in LAM main configuration

This commit is contained in:
Roland Gruber 2013-08-10 13:25:09 +00:00
parent 90e01cbcaa
commit f2f77eae90
7 changed files with 79 additions and 14 deletions

View File

@ -188,7 +188,8 @@ Have fun!
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Apache webserver (SSL recommended) with PHP module (PHP 5 <para>Apache webserver (SSL recommended) with PHP module (PHP 5
(&gt;= 5.2.4) with ldap, gettext, xml and optional mcrypt)</para> (&gt;= 5.2.4) with ldap, gettext, xml, openssl and optional
mcrypt)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -955,6 +956,39 @@ Have fun!
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
setup:</emphasis></para>
<para>By default, LAM uses the CA certificates that are preinstalled
on your system. This will work if you connect via SSL/TLS to an LDAP
server that uses a certificate signed by a well-known CA. In case you
use your own CA (e.g. company internal CA) you can import the CA
certificates here.</para>
<para>Please note that this can affect other web applications on the
same server if they require different certificates. In case of any
problems please delete the uploaded certificates and use the <link
linkend="ssl_certSystem">system setup</link>.</para>
<para>You can either upload a DER/PEM formatted certificate file or
import the certificates directly from an LDAP server that is available
with LDAP+SSL (ldaps://). LAM will automatically override system
certificates if at least one certificate is uploaded/imported.</para>
<para>The whole certificate list can be downloaded in PEM format. You
can also delete single certificates from the list.</para>
<para>Please note that you might need to restart your webserver if you
do any changes to this configuration.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configGeneral4.png" />
</imageobject>
</mediaobject>
</screenshot>
</section> </section>
<section> <section>
@ -1000,6 +1034,14 @@ Have fun!
<para>If you would like to change the master configuration password <para>If you would like to change the master configuration password
then enter a new password here.</para> then enter a new password here.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configGeneral5.png" />
</imageobject>
</mediaobject>
</screenshot>
</section> </section>
</section> </section>
@ -6766,10 +6808,32 @@ Run slapindex to rebuild the index.
configuration profile. TLS can be activated with the "Activate TLS" configuration profile. TLS can be activated with the "Activate TLS"
option.</para> option.</para>
<para>You will need to setup ldap.conf to trust your server certificate. <para>If your LDAP server uses a SSL certificate of a well-know
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. certificate authority (CA) then you probably need no changes. If you use
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. a custom CA in your company then there are two ways to setup the CA
Specify the server CA certificate with the following option:</para> certificates.</para>
<section>
<title>Setup SSL certificates in LAM general settings</title>
<para>This is much easier than system level setup and will only affect
LAM. There might be some cases where other web applications on the
same web server are influenced.</para>
<para>See <link linkend="conf_sslCert">here</link> for details.</para>
</section>
<section id="ssl_certSystem">
<title>Setup SSL certificates on system level</title>
<para>This will make the CA certificates available also to other
applications on your system (e.g. other web applications).</para>
<para>You will need to setup ldap.conf to trust your server
certificate. Some installations use /etc/ldap.conf and some use
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
/etc/ldap/ldap.conf. Specify the server CA certificate with the
following option:</para>
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> <programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
@ -6784,6 +6848,7 @@ Run slapindex to rebuild the index.
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting> <programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
</section> </section>
</section>
<section> <section>
<title>Chrooted servers</title> <title>Chrooted servers</title>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

After

Width:  |  Height:  |  Size: 15 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 9.6 KiB

After

Width:  |  Height:  |  Size: 9.9 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 18 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.0 KiB

View File

@ -263,7 +263,7 @@ $securityTable->addElement(new htmlOutputText(_('SSL certificates')));
$sslMethod = _('use system certificates'); $sslMethod = _('use system certificates');
$sslFileName = $cfg->getSSLCaCertTempFileName(); $sslFileName = $cfg->getSSLCaCertTempFileName();
if ($sslFileName != null) { if ($sslFileName != null) {
$sslMethod = _('use custom CA certificate'); $sslMethod = _('use custom CA certificates');
} }
$sslDelSaveGroup = new htmlGroup(); $sslDelSaveGroup = new htmlGroup();
$sslDelSaveGroup->addElement(new htmlOutputText($sslMethod)); $sslDelSaveGroup->addElement(new htmlOutputText($sslMethod));
@ -287,7 +287,7 @@ $sslButtonTable->colspan = 3;
$sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert')); $sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert'));
$sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload')); $sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload'));
$sslUploadBtn->setIconClass('upButton'); $sslUploadBtn->setIconClass('upButton');
$sslUploadBtn->setTitle(_('Upload CA certificate')); $sslUploadBtn->setTitle(_('Upload CA certificate in DER/PEM format.'));
$sslButtonTable->addElement($sslUploadBtn, true); $sslButtonTable->addElement($sslUploadBtn, true);
if (function_exists('stream_socket_client')) { if (function_exists('stream_socket_client')) {
$sslImportGroup = new htmlGroup(); $sslImportGroup = new htmlGroup();