Another solution is 'stunnel' which is working great for me:
As an example, lets say you you want dekiwiki to communicate with your LDAP or Active Directory server over SSL in order to prevent user passwords and bind information from being transmitted in clear text. To accomplish this (without modifying dekiwiki's source code...at least, for the current 1.8.3c), you will need to tell dekiwiki that 'localhost' is the LDAP server instead of the normal LDAP server/hostname. This is because you will configure stunnel to listen to all requests on localhost and then forward the LDAP request over an SSL tunnel to the real LDAP server.
First, you would need to install stunnel and create an stunnel.conf configuration file like the following and place it in /etc/stunnel/:
accept = 389
client = yes
connect = your.corp.domain.com:636
- '[ldap]' is just an arbitrary name, you can place any name you want inside the brackets
- Dekiwiki is hard coded to use port 389 (which is the usual port for unencrypted LDAP traffic) which is why stunnel is configured to listen to that port on the localhost.
- 'client = yes' just means that stunnel is acting as a client to the real LDAP server.
- The final 'connect' tells stunnel where the real LDAP server is. Port 636 is the default port for LDAP SSL traffic on the remote server.
- NOTE: There are many more options you can use, so refer to the documentation for configuring stunnel to run in chroot, etc.
Next, to start up stunnel manually on a Linux box you would type the following command:
I've recently written and attached an init.d script for stunnel, so you can easily schedule stunnel to start at boot time. The attachment (stunnel.zip) includes the init.d script and some VERY basic instructions to get you started.
root@host# stunnel /etc/stunnel/stunnel.conf
Next, configure the 'hostname' parameter in dekiwiki's LDAP service configuration screen to point to 'localhost' instead of the real LDAP server.
Everything should now work like a charm (if I didn't miss writing down a step that is ).
NOTE: You will also want to configure dekiwiki's login screen to be protected with SSL (https). It would be pointless to have your password encrypted to the LDAP server, but not from the client browser login screen to the dekiwiki web server. I haven't gotten to this point yet, but if someone can point to another thread for instructions, it would be much appreciated.