SSL

LL::NG uses Apache SSL module, like any other Apache authentication module, with extra features:

• Choice of any certificate attribute as user main login
• Allow no certificate to chain with other authentication methods

You have to install mod_ssl for Apache.

For CentOS/RHEL:

yum install mod_ssl

In Debian/Ubuntu mod_ssl is already shipped in apache2.2-common package.

You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/httpd/certs/ow2.cert
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert

If you specify port in virtual host, then declare SSL port:

NameVirtualHost *:80
NameVirtualHost *:443

Edit the portal virtual host to enable SSL double authentication:

SSLEngine On
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN

All SSL options are documented in Apache mod_ssl page.

Here are the main options used by LL::NG:

• SSLVerifyClient: set to optional to allow user with a bad certificate to access to LL::NG portal page. To switch to another authentication backend, use the Multi module, for example: Multi SSL;LDAP
• SSLOptions: set to +StdEnvVars to get certificate fields in environment variables
• SSLUserName (optional): certificate field that will be used to identify user in LL::NG portal virtual host

In Manager, go in General Parameters > Authentication modules and choose SSL for authentication.

Then, go in SSL parameters:

• Authentication level: authentication level for this module
• Extracted certificate field: field of the certificate affected to $user internal variable