How To: Apache LDAP Auth with Encryption

Howto: Apache LDAP Auth with Encryption


A 3rd party Linux server (i.e. Ubuntu) souhld use the UCS LDAP to authenticate users for directory access and the communication should be encrypted.

Note: To enable LDAP authentication without encryption use these steps (German).
** Note2:** Foliwwing steps assume the unencrypted authentication works.

Step 1

Create a user with the permission to logon to ldap:

Step 2

Configure the directory to be protected

<Directory "/var/www/html/ldap_test">
AuthType Basic
AuthName "LDAP TEST"
Require valid-user
AuthBasicProvider ldap

AuthLDAPURL "ldap://master.multi.ucs backup.multi.ucs:7389/ou=People,dc=multi,dc=ucs?uid" TLS
AuthLDAPBindDN "uid=queryuser,cn=users,dc=multi,dc=ucs"
AuthLDAPBindPassword "PASSWORD"

Step 3

Transfer the CA certificates from UCS master to your server:
root@ubuntu:~ # mkdir -p /etc/univention/ssl/ucsCA/
root@ubuntu:~ # wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://master.multi.ucs/ucs-root-ca.crt

Step 4

Configure LDAP module accordingly
root@ubuntu:~ # echo "LDAPTrustedGlobalCert CA_BASE64 /etc/univention/ssl/ucsCA/CAcert.pem">> /etc/apache2/conf-available/ldap.conf

Step 5

Enable configuration
root@ubuntu:~ # a2enconf ldap

Step 6

Restart Apache
root@ubuntu:~ # systemctl restart apache2