On 11/06/2010, at 4:04 AM, Howard Chu wrote:
> Jérémy ESCOLANO wrote:
>> I tried to put host="srvLDAP" but it still doesn't work
>>
>> Actually the problem is configuring my APACHE server to make it considerate
>> theses certificate.
>> I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
>> where to have to put :
>>
>> TLS_CACERT ./ssl2/cacert.cer
>> TLS_REQCERT demand
>>
>> but how can we specify it on apache server ?
>
> Ask on an Apache forum.
>
>
You are probably correct in that you should be asking on an Apache forum. But
anyway, here is a copy of my working apache config
LDAPTrustedClientCert CERT_BASE64 /usr/local/share/certs/cacert.pem
LDAPTrustedClientCert CERT_DER /usr/local/share/certs/cacert.crt
LDAPTrustedMode TLS
<Directory /usr/local/www/nagios>
Order deny,allow
Deny from all
Allow from all
AllowOverride none
php_flag engine on
php_admin_value open_basedir /usr/local/www/nagios/:/var/spool/nagios/
######
#<LDAP>
######
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserAttribute uid
AuthLDAPURL
ldap://ldap.chocolate.lan/ou=Users,dc=chocolate,dc=lan?uid?sub
#Require ldap-user william
AuthLDAPDereferenceAliases never
AuthLDAPGroupAttribute memberUid
Require group
Require ldap-group
cn=nagios,ou=Apache,ou=Nemo,ou=Group,dc=chocolate,dc=lan
AuthType Basic
AuthName "Nagios"
######
#</LDAP>
######
</Directory>
Also, a useful tool is, it tells you the current state of the ldap cache on the
server.
<Location /server/cache-info>
SetHandler ldap-status
</Location>
This is currently setup for group based authentication. remember that your
group memberUid needs to be the full DN of the user, rather than just the uid.
Your certificates also need to be readable by the apache user, and you only
need the cacert.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
