Authentication Users Password

LL::NG uses Apache SSL module, like any other Apache authentication module, with extra features:

  • Choice of any certificate attribute as user main login
  • Allow no certificate to chain with other authentication methods

You have to install mod_ssl for Apache.

For CentOS/RHEL:

yum install mod_ssl

In Debian/Ubuntu mod_ssl is already shipped in apache2.2-common package.

For CentOS/RHEL, We advice to disable the default SSL virtual host configured in /etc/httpd/conf.d/ssl.conf.

You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf:

SSLProtocol all -SSLv2
SSLCertificateFile /etc/httpd/certs/ow2.cert
SSLCertificateKeyFile /etc/httpd/certs/ow2.key
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
Put your own files instead of ow2.cert, ow2.key, ow2-ca.cert:
  • SSLCertificateFile: Server certificate
  • SSLCertificateKeyFile: Server private key
  • SSLCACertificateFile: CA certificate to validate client certificates

If you specify port in virtual host, then declare SSL port:

NameVirtualHost *:80
NameVirtualHost *:443

Edit the portal virtual host to enable SSL double authentication:

SSLEngine On
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars

All SSL options are documented in Apache mod_ssl page.

Here are the main options used by LL::NG:

  • SSLVerifyClient: set to optional to allow user with a bad certificate to access to LL::NG portal page (to display error or use another authentication method)
  • SSLOptions: set to +StdEnvVars to get certificate fields in environment variables
  • SSLUserName (optional): certificate field that will be used to identify user in LL::NG portal virtual host

In Manager, go in General Parameters > Authentication modules and choose SSL for authentication.

You can then choose any other module for users and password.

Then, go in SSL parameters:

  • Authentication level: authentication level for this module
  • Extracted certificate field: field of the certificate affected to $user internal variable
  • LDAP attribute used in filter: attribute in LDAP directory to use in mapping
  • SSL Required: if true, do not allow other authentication method if SSL certificate authentication fails (false by default).
LDAP attribute used in filter is not required if you do not use LDAP users database. In this case, the extracted certificate field value will be used to match the user.