WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

allow to specify SSL CA certificates in LAM main configuration

This commit is contained in:
Roland Gruber 2013-08-10 13:25:09 +00:00
parent 90e01cbcaa
commit f2f77eae90
7 changed files with 79 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
lam/docs/manual-sources/howto.xml
View File

@ -188,7 +188,8 @@ Have fun!
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Apache webserver (SSL recommended) with PHP module (PHP 5 <para>Apache webserver (SSL recommended) with PHP module (PHP 5
(&gt;= 5.2.4) with ldap, gettext, xml and optional mcrypt)</para> (&gt;= 5.2.4) with ldap, gettext, xml, openssl and optional
mcrypt)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -955,6 +956,39 @@ Have fun!
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
setup:</emphasis></para>
<para>By default, LAM uses the CA certificates that are preinstalled
on your system. This will work if you connect via SSL/TLS to an LDAP
server that uses a certificate signed by a well-known CA. In case you
use your own CA (e.g. company internal CA) you can import the CA
certificates here.</para>
<para>Please note that this can affect other web applications on the
same server if they require different certificates. In case of any
problems please delete the uploaded certificates and use the <link
linkend="ssl_certSystem">system setup</link>.</para>
<para>You can either upload a DER/PEM formatted certificate file or
import the certificates directly from an LDAP server that is available
with LDAP+SSL (ldaps://). LAM will automatically override system
certificates if at least one certificate is uploaded/imported.</para>
<para>The whole certificate list can be downloaded in PEM format. You
can also delete single certificates from the list.</para>
<para>Please note that you might need to restart your webserver if you
do any changes to this configuration.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configGeneral4.png" />
</imageobject>
</mediaobject>
</screenshot>
</section> </section>
<section> <section>
@ -1000,6 +1034,14 @@ Have fun!
<para>If you would like to change the master configuration password <para>If you would like to change the master configuration password
then enter a new password here.</para> then enter a new password here.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configGeneral5.png" />
</imageobject>
</mediaobject>
</screenshot>
</section> </section>
</section> </section>
@ -6766,23 +6808,46 @@ Run slapindex to rebuild the index.
configuration profile. TLS can be activated with the "Activate TLS" configuration profile. TLS can be activated with the "Activate TLS"
option.</para> option.</para>
<para>You will need to setup ldap.conf to trust your server certificate. <para>If your LDAP server uses a SSL certificate of a well-know
Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. certificate authority (CA) then you probably need no changes. If you use
It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. a custom CA in your company then there are two ways to setup the CA
Specify the server CA certificate with the following option:</para> certificates.</para>
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting> <section>
<title>Setup SSL certificates in LAM general settings</title>
<para>This needs to be the public part of the signing certificate <para>This is much easier than system level setup and will only affect
authority. See "man ldap.conf" for additional options.</para> LAM. There might be some cases where other web applications on the
same web server are influenced.</para>
<literallayout> <para>See <link linkend="conf_sslCert">here</link> for details.</para>
</section>
<section id="ssl_certSystem">
<title>Setup SSL certificates on system level</title>
<para>This will make the CA certificates available also to other
applications on your system (e.g. other web applications).</para>
<para>You will need to setup ldap.conf to trust your server
certificate. Some installations use /etc/ldap.conf and some use
/etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to
/etc/ldap/ldap.conf. Specify the server CA certificate with the
following option:</para>
<programlisting>TLS_CACERT /etc/ldap/ca/myCA/cacert.pem</programlisting>
<para>This needs to be the public part of the signing certificate
authority. See "man ldap.conf" for additional options.</para>
<literallayout>
</literallayout> </literallayout>
<para>You may also need to specify the CA certificate in your Apache <para>You may also need to specify the CA certificate in your Apache
configuration by using the option "LDAPTrustedGlobalCert":</para> configuration by using the option "LDAPTrustedGlobalCert":</para>
<programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting> <programlisting>LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem</programlisting>
</section>
</section> </section>
<section> <section>

BIN
lam/docs/manual-sources/images/configGeneral1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 7.2 KiB

After

Width:  |  Height:  |  Size: 15 KiB

BIN
lam/docs/manual-sources/images/configGeneral2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 19 KiB

BIN
lam/docs/manual-sources/images/configGeneral3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.6 KiB

After

Width:  |  Height:  |  Size: 9.9 KiB

BIN
lam/docs/manual-sources/images/configGeneral4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
lam/docs/manual-sources/images/configGeneral5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

4
lam/templates/config/mainmanage.php
View File

@ -263,7 +263,7 @@ $securityTable->addElement(new htmlOutputText(_('SSL certificates')));
$sslMethod = _('use system certificates'); $sslMethod = _('use system certificates');
$sslFileName = $cfg->getSSLCaCertTempFileName(); $sslFileName = $cfg->getSSLCaCertTempFileName();
if ($sslFileName != null) { if ($sslFileName != null) {
$sslMethod = _('use custom CA certificate'); $sslMethod = _('use custom CA certificates');
} }
$sslDelSaveGroup = new htmlGroup(); $sslDelSaveGroup = new htmlGroup();
$sslDelSaveGroup->addElement(new htmlOutputText($sslMethod)); $sslDelSaveGroup->addElement(new htmlOutputText($sslMethod));
@ -287,7 +287,7 @@ $sslButtonTable->colspan = 3;
$sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert')); $sslButtonTable->addElement(new htmlInputFileUpload('sslCaCert'));
$sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload')); $sslUploadBtn = new htmlButton('sslCaCertUpload', _('Upload'));
$sslUploadBtn->setIconClass('upButton'); $sslUploadBtn->setIconClass('upButton');
$sslUploadBtn->setTitle(_('Upload CA certificate')); $sslUploadBtn->setTitle(_('Upload CA certificate in DER/PEM format.'));
$sslButtonTable->addElement($sslUploadBtn, true); $sslButtonTable->addElement($sslUploadBtn, true);
if (function_exists('stream_socket_client')) { if (function_exists('stream_socket_client')) {
$sslImportGroup = new htmlGroup(); $sslImportGroup = new htmlGroup();