You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ld...@orange-ftgroup.com on 2010/06/02 10:58:54 UTC
[users@httpd] LDAP authnz with SSL
Hello,
I use authnz_ldap_module in my apache server configuration to verify
authorizations in LDAP before forwarding the http request to another
server (i use apache as a reverse proxy).
I have no problem to access to LDAP in http mode, but it doesn't work
with SSL.
My conf looks like this :
<Location server2>
ProxyPass http://server2/
ProxyPassReverse http://server2
AuthType basic
AuthName server2
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://ldap:636/ou=**,dc=**" NONE
AuthLDAPBindDN "cn=**,dc=**"
AuthLDAPBindPassword **
Require valid-user
Require ldap-filter &(**)(**)
Allow from all
</Location>
So before forwarding to server2, i verify that the user is allowed to go
to server 2 in LDAP.
This works very well if use "ldap" instead of ldaps in the URL, and
port 389 instead of 636. I don't know why it doesn't work with a secure
connection.
If i use the same parameters (ldaps, port 636) with JXplorer LDAP
client, i can connect to the LDAP server successfully, so the server is
configured correctly to accept secure connections.
NB : i have activated the mod_ssl module in my httpd conf.
Do you have an idea for this?
Thanks
Loic
RE: [users@httpd] LDAP authnz with SSL
Posted by ld...@orange-ftgroup.com.
It works now, I just added
LDAPVerifyServerCert off
LDAPTrustedMode SSL
to httpd.conf.
Thanks for your help.
Loic
-----Original Message-----
From: Emmanuel Bailleul [mailto:Emmanuel.Bailleul@telindus.fr]
Sent: mercredi 2 juin 2010 15:53
To: users@httpd.apache.org
Subject: RE: [users@httpd] LDAP authnz with SSL
> -----Message d'origine-----
> De : ldescotte.ext@orange-ftgroup.com [mailto:ldescotte.ext@orange-
> ftgroup.com] Envoyé : mercredi 2 juin 2010 12:15 À :
> users@httpd.apache.org Objet : RE: [users@httpd] LDAP authnz with SSL
>
> I didn't need to set any certificate file on JXPlorer but I can
> connect to LDAP in https with the client, so I don't think it is
> needed
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: mercredi 2 juin 2010 12:11
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] LDAP authnz with SSL
>
> On Wed, Jun 2, 2010 at 5:06 AM, <ld...@orange-ftgroup.com> wrote:
> > Here is the error i'm getting when i try to contact LDAP server with
> > SSL
> :
> >
> > [warn] [client ****] [12740] auth_ldap authenticate: user ***
> > authentication failed; URI server2 [LDAP: ldap_simple_bind_s()
> > failed][Can't contact LDAP server]
> >
>
> Wouldn't you need to teach it about a trusted CA for the LDAP server
> (LDAPTrustedGLobalCert)?
>
> --
> Eric Covener
> covener@gmail.com
>
Hi,
Rather than using JXPlorer, you may at least try with ldapsearch on the same box.
Btw, have you configured your ldap.conf file for "TLS support" (the minimum being the "TLS_REQCERT" parameter) ?
A quick google search gives for example (in French, but that may be of interest to you ...) :
http://arnofear.free.fr/linux/template.php?tuto=2&page=5
Regards
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] LDAP authnz with SSL
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
> -----Message d'origine-----
> De : ldescotte.ext@orange-ftgroup.com [mailto:ldescotte.ext@orange-
> ftgroup.com]
> Envoyé : mercredi 2 juin 2010 12:15
> À : users@httpd.apache.org
> Objet : RE: [users@httpd] LDAP authnz with SSL
>
> I didn't need to set any certificate file on JXPlorer but I can connect to
> LDAP in https with the client, so I don't think it is needed
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: mercredi 2 juin 2010 12:11
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] LDAP authnz with SSL
>
> On Wed, Jun 2, 2010 at 5:06 AM, <ld...@orange-ftgroup.com> wrote:
> > Here is the error i'm getting when i try to contact LDAP server with SSL
> :
> >
> > [warn] [client ****] [12740] auth_ldap authenticate: user ***
> > authentication failed; URI server2 [LDAP: ldap_simple_bind_s()
> > failed][Can't contact LDAP server]
> >
>
> Wouldn't you need to teach it about a trusted CA for the LDAP server
> (LDAPTrustedGLobalCert)?
>
> --
> Eric Covener
> covener@gmail.com
>
Hi,
Rather than using JXPlorer, you may at least try with ldapsearch on the same box.
Btw, have you configured your ldap.conf file for "TLS support" (the minimum being the "TLS_REQCERT" parameter) ?
A quick google search gives for example (in French, but that may be of interest to you ...) :
http://arnofear.free.fr/linux/template.php?tuto=2&page=5
Regards
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] LDAP authnz with SSL
Posted by ld...@orange-ftgroup.com.
I didn't need to set any certificate file on JXPlorer but I can connect to LDAP in https with the client, so I don't think it is needed
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: mercredi 2 juin 2010 12:11
To: users@httpd.apache.org
Subject: Re: [users@httpd] LDAP authnz with SSL
On Wed, Jun 2, 2010 at 5:06 AM, <ld...@orange-ftgroup.com> wrote:
> Here is the error i'm getting when i try to contact LDAP server with SSL :
>
> [warn] [client ****] [12740] auth_ldap authenticate: user ***
> authentication failed; URI server2 [LDAP: ldap_simple_bind_s()
> failed][Can't contact LDAP server]
>
Wouldn't you need to teach it about a trusted CA for the LDAP server (LDAPTrustedGLobalCert)?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP authnz with SSL
Posted by Eric Covener <co...@gmail.com>.
On Wed, Jun 2, 2010 at 5:06 AM, <ld...@orange-ftgroup.com> wrote:
> Here is the error i'm getting when i try to contact LDAP server with SSL :
>
> [warn] [client ****] [12740] auth_ldap authenticate: user ***
> authentication failed; URI server2 [LDAP: ldap_simple_bind_s() failed][Can't
> contact LDAP server]
>
Wouldn't you need to teach it about a trusted CA for the LDAP server
(LDAPTrustedGLobalCert)?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] LDAP authnz with SSL
Posted by ld...@orange-ftgroup.com.
Here is the error i'm getting when i try to contact LDAP server with SSL
:
[warn] [client ****] [12740] auth_ldap authenticate: user ***
authentication failed; URI server2 [LDAP: ldap_simple_bind_s()
failed][Can't contact LDAP server]
Thanks
Loic
________________________________
From: ldescotte.ext@orange-ftgroup.com
[mailto:ldescotte.ext@orange-ftgroup.com]
Sent: mercredi 2 juin 2010 10:59
To: users@httpd.apache.org
Subject: [users@httpd] LDAP authnz with SSL
Hello,
I use authnz_ldap_module in my apache server configuration to verify
authorizations in LDAP before forwarding the http request to another
server (i use apache as a reverse proxy).
I have no problem to access to LDAP in http mode, but it doesn't work
with SSL.
My conf looks like this :
<Location server2>
ProxyPass http://server2/
ProxyPassReverse http://server2
AuthType basic
AuthName server2
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://ldap:636/ou=**,dc=**" NONE
AuthLDAPBindDN "cn=**,dc=**"
AuthLDAPBindPassword **
Require valid-user
Require ldap-filter &(**)(**)
Allow from all
</Location>
So before forwarding to server2, i verify that the user is allowed to go
to server 2 in LDAP.
This works very well if use "ldap" instead of ldaps in the URL, and
port 389 instead of 636. I don't know why it doesn't work with a secure
connection.
If i use the same parameters (ldaps, port 636) with JXplorer LDAP
client, i can connect to the LDAP server successfully, so the server is
configured correctly to accept secure connections.
NB : i have activated the mod_ssl module in my httpd conf.
Do you have an idea for this?
Thanks
Loic