So, I’ve been trying the whole day to get this Apache 2.2 installation to authenticate into an Active Directory LDAP using secure connection. These will be Ubuntu settings, particulary for 10.04 LTS (probably works for every Debian, RedHat versions as well).
First, I exported the CA from my browser (IE9) using Internet Options > Content > Certificates > Trusted Root Certificate Authority and export the one from Active Directory (CA from Active Directory) and saved is as BASE64 file, because by default, OpenSSL can use this kind of file and not DER or whatever, and saved the file on the Linux server in /certs/cert.cer.
Second, edit the httpd.conf in /etc/apache2 to look like this:
LDAPTrustedGlobalCert CA_BASE64 /certs/cert.cer
Thirds step is to add your LDAP configuration to your website using tag in /etc/apache2/sites-enabled/000-default or whatever path you have for your website, and add the following:
AuthName “AD Authentication”
This implies that you have an AD running at IP xx.xx.xx.xx, has 636 port opened (LDAPS), there’s an user called “user” in the specified OU and has the DN specified at AuthLDAPBindDN, the password “passforuser” and AuthLDAPURL is the query Apache is doing to the Active Directory server. Instead of “Require valid-user” you can require different things, like ..specific user, specific group, etc. So, save the website file after doing this. And there’s one more step.
Fourth step, and the last before restarting apache, is to edit ldap.conf. Don’t know for sure where this file can be found on RedHat, but on Debian (and in my case, Ubuntu 10.04 LTS) can be found in /etc/ldap/ldap.conf. So, edit this file, ..of course, there are some commented options, but add this line:
Restart apache, and that’s it.