You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Scheible, Paul" <sc...@montana.edu> on 2008/03/13 17:02:57 UTC
[users@httpd] mod_ldap rejecting apparently valid server certificate for secure ldap against active directory
I have a couple of apache web server installations that have been unable
to connect to an Active Directory server after its certificate was
renewed. The two installations I attempted to use were versions 2.0.59
and 2.2.8 both installed on Windows (Win2003 Server and WinXPSP2,
respectively). Prior to the certificate renewal, the 2.0.59
installation worked without issue. Since I don't control the AD server,
I am not certain of the exact procedure used to renew the certificate.
I was told that the procedure used was Microsoft's recommended
procedure. I also know that both the server certificate and the root
certificate had to be renewed. Finally, WebSphere Application Server
running on an iSeries machine and a WinXP machine was able to use the
new certificate to establish a secure connection. (Hence, the comment
that the certificate was apparently valid.)
I tried turning on debug logs in Apache but found nothing that indicated
the reason the certificate was being rejected. The regular error logs
merely said that the LDAP server was down or unavailable depending on
which Apache installation. Wireshark logs indicated that the client was
killing the connection immediately after the server sent its
certificate. I went through that certificate and it appeared to match
perfectly with the certificate I saved from the AD server. Later, I
attempted to connect using a version 2.2.4 installation on an Ubuntu
7.10 box. The Wireshark logs there indicated that it was the server
that was killing the connection. The owners of the AD server finally
reissued the root certificate and the original Apache configurations
worked without a problem. At this point, we have something working but
we would very much like to know what happened and why. Can anyone shed
some light on this?
Thank you for your time,
Paul Scheible
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ldap rejecting apparently valid server certificate
for secure ldap against active directory
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Scheible, Paul wrote:
> I have a couple of apache web server installations that have been unable
> to connect to an Active Directory server after its certificate was
> renewed. The two installations I attempted to use were versions 2.0.59
> and 2.2.8 both installed on Windows (Win2003 Server and WinXPSP2,
> respectively). [...] I also know that both the server certificate and
> the root certificate had to be renewed.
On a /default/ windows build, such as shipped by the ASF, the ldap auth
uses the WLDAP32 API from Microsoft itself. It sounds like MS's LDAP was
throwing away the invalid connection because it did not recognize the root
cert or it's CA chain as authoritative.
Note; there are several bug fixes on apr trunk/1.2.x and httpd trunk/2.2.x
proposed for backport to the next release related to MS LDAP.
> The owners of the AD server finally
> reissued the root certificate and the original Apache configurations
> worked without a problem. At this point, we have something working but
> we would very much like to know what happened and why. Can anyone shed
> some light on this?
Well; it's also possible it was invalid, and the other LDAP servers were
simply more permissive.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_ldap rejecting apparently valid server certificate for secure ldap against active directory
Posted by "Scheible, Paul" <sc...@montana.edu>.
I guess I should probably have mentioned that I did use ldp.exe to check
the connection without any issues. The Windows Crypto Shell Extensions
also reported that the certificate was valid.
Thanks,
Paul Scheible
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Friday, March 14, 2008 8:46 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] mod_ldap rejecting apparently valid server
certificate for secure ldap against active directory
On Thu, Mar 13, 2008 at 12:02 PM, Scheible, Paul <sc...@montana.edu>
wrote:
> Finally, WebSphere Application Server
> running on an iSeries machine and a WinXP machine was able to use the
> new certificate to establish a secure connection. (Hence, the
comment
> that the certificate was apparently valid.)
Ideally, you'd want to test with something that hooks into the same
ldap/ssl libs picked up by apache. Perhaps ldp.exe on the affected
system.
Very peculiar that the different failing version of apache seem to
have the tcp connection closed from opposite directions -- for me
that's the only real thing that doesn't mesh.
Vista+ has a mechanism for doing LDAP tracing, but I don't know if
there's a less flexible trace available in earlier versions:
http://msdn2.microsoft.com/en-us/library/aa366152.aspx
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_ldap rejecting apparently valid server certificate for secure ldap against active directory
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 13, 2008 at 12:02 PM, Scheible, Paul <sc...@montana.edu> wrote:
> Finally, WebSphere Application Server
> running on an iSeries machine and a WinXP machine was able to use the
> new certificate to establish a secure connection. (Hence, the comment
> that the certificate was apparently valid.)
Ideally, you'd want to test with something that hooks into the same
ldap/ssl libs picked up by apache. Perhaps ldp.exe on the affected
system.
Very peculiar that the different failing version of apache seem to
have the tcp connection closed from opposite directions -- for me
that's the only real thing that doesn't mesh.
Vista+ has a mechanism for doing LDAP tracing, but I don't know if
there's a less flexible trace available in earlier versions:
http://msdn2.microsoft.com/en-us/library/aa366152.aspx
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org