You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Stuart Kendrick <sk...@fhcrc.org> on 2006/09/26 00:56:00 UTC
[users@httpd] ldap to ldaps under httpd-2.2
hi,
i'm trying to upgrade my ldap authentication to ldaps
i have both ldap and ldaps authentication working under apache 2.0 ...
but under apache 2.2, i only have plain ldap working
i'm looking for tips on additional trouble-shooting methods i could try
here's my apache 2.0 config. this is the one which works, in both ldap
and ldaps mode. notice the use of the non-standard port
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem
LDAPTrustedCAType BASE64_FILE
[...]
<Directory "/srv/www/htdocs/soma/">
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.1.
SSLRequireSSL
AuthName Soma
AuthType Basic
AuthLDAPBindDN "foo@fhcrc.org"
AuthLDAPBindPassword passwd-for-foo
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
# ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
Require valid-user
</Directory>
and here's my apache 2.2 config. if i comment out the 'ldaps' URL and
comment in the 'ldap' URL, things work fine:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
[...]
<Directory "/srv/www/htdocs/soma/">
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.1.
AuthName Soma
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "foo@fhcrc.org"
AuthLDAPBindPassword passwd-for-foo
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS
# AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
objectClass=user)
Require valid-user
</Directory>
when it fails, i see the following in syslog:
Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738]
auth_ldap authenticate: user skendric authentication failed; URI /soma
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
in a packet trace, i see the following, repeated a handful of times. [i
hacked the Source and Destination IP address columns, replacing the
actual IP addresses with 'a', the address of my apache server, and 'z'
the address of my LDAP server]. basically, the apache server just
establishes a TCP connection (SYN, SYN, ACK) ... and then, without
attempting anything, tears it down ... and then repeats a handful of times.
No. Time By Source Dest Prot Info
1 0.000000 74 a z TCP 48965 > 12389 [SYN, ECN, CWR] Seq=0
2 0.000351 78 z a TCP 12389 > 48965 [SYN, ACK] Seq=0 Ack=1
3 0.000018 66 a z TCP 48965 > 12389 [ACK] Seq=1 Ack=1
4 0.000780 66 a z TCP 48965 > 12389 [FIN, ACK] Seq=1 Ack=1
5 0.000122 74 a z TCP 48966 > 12389 [SYN, ECN, CWR] Seq=0
6 0.000312 78 z a TCP 12389 > 48966 [SYN, ACK] Seq=0 Ack=1
7 0.000014 66 a z TCP 48966 > 12389 [ACK] Seq=1 Ack=1
8 0.000004 66 z a TCP 12389 > 48965 [ACK] Seq=1 Ack=2
9 0.000084 60 z a TCP 12389 > 48965 [RST, ACK] Seq=1 Ack=2
10 0.000201 66 a z TCP 48966 > 12389 [FIN, ACK] Seq=1 Ack=1
i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0
case, and OpenSuSE 10.1 in the httpd-2.2.0 case. for grins, i compiled
httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the
same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1
suggestions for what i might try next to analyze what is going on?
--sk
stuart kendrick
fhcrc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ldap to ldaps under httpd-2.2
Posted by Ricardo Stella <st...@rider.edu>.
Stuart Kendrick wrote:
> hi,
>
> i'm trying to upgrade my ldap authentication to ldaps
>
> i have both ldap and ldaps authentication working under apache 2.0 ...
> but under apache 2.2, i only have plain ldap working
>
> i'm looking for tips on additional trouble-shooting methods i could try
>
>
[...]
>
> and here's my apache 2.2 config. if i comment out the 'ldaps' URL and
> comment in the 'ldap' URL, things work fine:
> [...]
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
> LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
> LDAPTrustedMode TLS
[...]
> AuthLDAPURL
> ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
> ?(objectClass=user) STARTTLS
> # AuthLDAPURL
> ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
> objectClass=user)
> Require valid-user
> </Directory>
>
Well, which one is it ? TLS or SSL :? That's the problem... LDAP on
SSL mode work on a different port. TLS connections work on the same
unsecure port, except that the talk is encrypted.
So, if you enabled SSL on port 12389, then:
LDAPTrustedMode SSL # If you run SSL, this is optional as you'll enable
this with the 'ldaps' url
...
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
Or, if you are doing TLS, then:
LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS at
the end of the ldap url
...
AuthLDAPURL
ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
Hope this helps...
My .02...
--
°(((=((===°°°(((===========================================