A page in your DokuWiki was added or changed. Here are the details: Date : 2016/06/28 18:03 Browser : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 IP-Address : 193.248.50.71 Hostname : LStLambert-656-1-262-71.w193-248.abo.wanadoo.fr Old Revision: --- New Revision: http://ltb-project.org/wiki/documentation/general/openldap_ssl_tls_mutual_authentication Edit Summary: created User : coudot
====== Configure SSL/TLS mutual authentication with OpenLDAP ====== <note tip>This documentation was written for OpenLDAP LTB packages</note> The goal is to be able to authenticate against OpenLDAP with a X509 client certificate and map identity of client certificate to an LDAP entry. ===== Certificates and test values ===== We use these variable names in the tutorial: * CA_SERVER: Certificate Authority that signed the CERT_SERVER * CERT_SERVER: Server certificate. Its Common Name must be the DNS name of OpenLDAP server * KEY_SERVER: Server key. * CA_CLIENT: Certificate Authority that signed the CERT_CLIENT * CERT_CLIENT: Client certificate. Its Common Name must be related to a user, with a least a field that exists in the corresponding LDAP entry * KEY_CLIENT: Client key. <note>Remove password on KEY_CLIENT as it's not managed by LDAP client utilities (ldapsearch, ...)</note> We also use these test values: * LDAP DNS name: ldap.example.com * Client certificate Common Name: [email protected],cn=dwho,o=SFL,l=Lyon,st=Rhone,c=FR * User LDAP entry: uid=dwho,ou=users,dc=example,dc=com ===== OpenLDAP server configuration ===== In ''cn=config'' entry, use these parameters: <file> olcAuthzRegexp: {0}"EMAIL=([^,]*)," ldap:///ou=users,dc=example,dc=com??one?(MAIL=$1) olcTLSCACertificateFile: /path/to/CA_CLIENT olcTLSCertificateFile: /path/to/CERT_SERVER olcTLSCertificateKeyFile: /path/to/KEY_SERVER olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2 olcTLSCRLCheck: none olcTLSVerifyClient: allow </file> ===== Client configuration ===== You can configure some LDAP client settings in $HOME/.ldaprc file: <file> TLS_REQCERT try TLS_CACERT /path/to/CA_SERVER TLS_CERT /path/to/CERT_CLIENT TLS_KEY /path/to/KEY_CLIENT SASL_MECH external </file> ===== Test ===== You can now connect with client certificate and be identifed as the corresponding LDAP entry. With STARTTLS: <code> $ ldapwhoami -H ldap://ldap.example.com -Z SASL/EXTERNAL authentication started SASL username: [email protected],cn=dwho,o=SFL,l=Lyon,st=Rhone,c=FR SASL SSF: 0 dn:uid=dwho,ou=users,dc=example,dc=com </code> With LDAPS: <code> $ ldapwhoami -H ldaps://ldap.example.com SASL/EXTERNAL authentication started SASL username: [email protected],cn=dwho,o=SFL,l=Lyon,st=Rhone,c=FR SASL SSF: 0 dn:uid=dwho,ou=users,dc=example,dc=com </code> -- This mail was generated by DokuWiki at http://ltb-project.org/wiki/
_______________________________________________ ltb-changes mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-changes
