You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/02/09 07:57:02 UTC

[Bug 65875] New: ldap_simple_bind fail for LDAPS authentication with Microsoft SDK

https://bz.apache.org/bugzilla/show_bug.cgi?id=65875

            Bug ID: 65875
           Summary: ldap_simple_bind fail for LDAPS authentication with
                    Microsoft SDK
           Product: Apache httpd-2
           Version: 2.4.41
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ldap
          Assignee: bugs@httpd.apache.org
          Reporter: edouard.bouault@safrangroup.com
  Target Milestone: ---

Hello,
I have been trying to implement LDAPS authentication between an Apache server
using the Microsoft SDK, and an Ubuntu based OpenLDAP server.

According to the mod_ldap documentation, SSL with this LDAP SDK is supported
and the trusted certificate is configured at a system level.

My configuration is pretty basic. Here is the apache configuration relative to
LDAPS authentication :

AuthName "Active Directory authentication"
AuthBasicProvider ldap
AuthType Basic
AuthLDAPURL "ldaps://openldap.test.com/dc=example,dc=com?uid?sub?"

The OpenLDAP server allows anonymous binds and ldaps connections.
My OpenLDAP server's certificate was added to the local machine certificate
store.

Using this configuration, LDAP authentication without SSL works correctly, but
when i change the "ldap" in my URL to "ldaps", my web site goes to "Error 500"
after prompting for username/password.

In my Apache error log, i find the following :

[Thu Jan 27 16:45:53.556671 2022] [authz_core:debug] [pid 3848:tid 1536]
mod_authz_core.c(817): [client 127.0.0.1:50198] AH01626: authorization result
of Require ldap-group cn=apache,ou=Groups,dc=example,dc=com: denied (no
authenticated user yet)
[Thu Jan 27 16:45:53.556671 2022] [authz_core:debug] [pid 3848:tid 1536]
mod_authz_core.c(817): [client 127.0.0.1:50198] AH01626: authorization result
of <RequireAny>: denied (no authenticated user yet)
[Thu Jan 27 16:45:53.556671 2022] [authnz_ldap:debug] [pid 3848:tid 1536]
mod_authnz_ldap.c(522): [client 127.0.0.1:50198] AH01691: auth_ldap
authenticate: using URL ldaps://openldap.test.com/dc=example,dc=com?uid?sub?
[Thu Jan 27 16:45:53.619179 2022] [authnz_ldap:info] [pid 3848:tid 1536]
[client 127.0.0.1:50198] AH01695: auth_ldap authenticate: user ldapuser
authentication failed; URI / [LDAP: ldap_simple_bind() failed][]

In my OpenLDAP error log, i find the following :

[07-02-2022 13:11:44] slapd debug  conn=1004 fd=14 ACCEPT from
IP=XXX.XXX.XXX.XXX:50139 (IP=0.0.0.0:636)
[07-02-2022 13:11:44] slapd debug  conn=1004 fd=14 closed (TLS negotiation
failure)

These errors happen whether my LDAP server certificate is in the certificate
store or not, which means the web server doesn't seem to use the certificate
configured at Windows level.

Thank you in advance for taking a look at this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org