LDAP with SSL and TLS

SSL will be used if you use ldaps://servername in your configuration profile. TLS can be activated with the "Activate TLS" option.

If your LDAP server uses a SSL certificate of a well-know certificate authority (CA) then you probably need no changes. If you use a custom CA in your company then there are two ways to setup the CA certificates.

Setup SSL certificates in LAM general settings

This is much easier than system level setup and will only affect LAM. There might be some cases where other web applications on the same web server are influenced.

See here for details.

Setup SSL certificates on system level

This will make the CA certificates available also to other applications on your system (e.g. other web applications).

You will need to setup ldap.conf to trust your server certificate. Some installations use /etc/ldap.conf and some use /etc/ldap/ldap.conf. It is a good idea to symlink /etc/ldap.conf to /etc/ldap/ldap.conf. Specify the server CA certificate with the following option:

TLS_CACERT /etc/ldap/ca/myCA/cacert.pem

This needs to be the public part of the signing certificate authority. See "man ldap.conf" for additional options.


You may also need to specify the CA certificate in your Apache configuration by using the option "LDAPTrustedGlobalCert":

LDAPTrustedGlobalCert CA_BASE64 /etc/ldap/ca/myCA/cacert.pem