You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Stuart Kendrick <sk...@fhcrc.org> on 2006/09/26 00:56:00 UTC

[users@httpd] ldap to ldaps under httpd-2.2

hi,

i'm trying to upgrade my ldap authentication to ldaps

i have both ldap and ldaps authentication working under apache 2.0 ... 
but under apache 2.2, i only have plain ldap working

i'm looking for tips on additional trouble-shooting methods i could try

here's my apache 2.0 config.  this is the one which works, in both ldap 
and ldaps mode.  notice the use of the non-standard port
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem
LDAPTrustedCAType BASE64_FILE
[...]
<Directory "/srv/www/htdocs/soma/">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 10.1.
   SSLRequireSSL
   AuthName Soma
   AuthType Basic
   AuthLDAPBindDN "foo@fhcrc.org"
   AuthLDAPBindPassword passwd-for-foo
   AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
   # ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
   Require valid-user
</Directory>


and here's my apache 2.2 config.  if i comment out the 'ldaps' URL and 
comment in the 'ldap' URL, things work fine:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
[...]
<Directory "/srv/www/htdocs/soma/">
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.1.
    AuthName Soma
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPBindDN "foo@fhcrc.org"
    AuthLDAPBindPassword passwd-for-foo
    AuthLDAPURL 
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS
#   AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
objectClass=user)
    Require valid-user
</Directory>

when it fails, i see the following in syslog:

Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738] 
auth_ldap authenticate: user skendric authentication failed; URI /soma 
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

in a packet trace, i see the following, repeated a handful of times.  [i 
hacked the Source and Destination IP address columns, replacing the 
actual IP addresses with 'a', the address of my apache server, and 'z' 
the address of my LDAP server].  basically, the apache server just 
establishes a TCP connection (SYN, SYN, ACK) ... and then, without 
attempting anything, tears it down ... and then repeats a handful of times.

No.  Time   By  Source Dest Prot Info
  1 0.000000 74  a      z    TCP  48965 > 12389 [SYN, ECN, CWR] Seq=0
  2 0.000351 78  z      a    TCP  12389 > 48965 [SYN, ACK] Seq=0 Ack=1
  3 0.000018 66  a      z    TCP  48965 > 12389 [ACK] Seq=1 Ack=1
  4 0.000780 66  a      z    TCP  48965 > 12389 [FIN, ACK] Seq=1 Ack=1
  5 0.000122 74  a      z    TCP  48966 > 12389 [SYN, ECN, CWR] Seq=0
  6 0.000312 78  z      a    TCP  12389 > 48966 [SYN, ACK] Seq=0 Ack=1
  7 0.000014 66  a      z    TCP  48966 > 12389 [ACK] Seq=1 Ack=1
  8 0.000004 66  z      a    TCP  12389 > 48965 [ACK] Seq=1 Ack=2
  9 0.000084 60  z      a    TCP  12389 > 48965 [RST, ACK] Seq=1 Ack=2
10 0.000201 66  a      z    TCP  48966 > 12389 [FIN, ACK] Seq=1 Ack=1

i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0 
case, and OpenSuSE 10.1 in the httpd-2.2.0 case.  for grins, i compiled 
httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the 
same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1

suggestions for what i might try next to analyze what is going on?

--sk

stuart kendrick
fhcrc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] ldap to ldaps under httpd-2.2

Posted by Ricardo Stella <st...@rider.edu>.

Stuart Kendrick wrote:
> hi,
>
> i'm trying to upgrade my ldap authentication to ldaps
>
> i have both ldap and ldaps authentication working under apache 2.0 ...
> but under apache 2.2, i only have plain ldap working
>
> i'm looking for tips on additional trouble-shooting methods i could try
>
>
[...]
>
> and here's my apache 2.2 config.  if i comment out the 'ldaps' URL and
> comment in the 'ldap' URL, things work fine:
> [...]
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
> LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
> LDAPTrustedMode TLS
[...]
>    AuthLDAPURL
> ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
> ?(objectClass=user) STARTTLS
> #   AuthLDAPURL
> ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
> objectClass=user)
>    Require valid-user
> </Directory>
>

Well, which one is it ?  TLS or SSL :?  That's the problem...  LDAP on
SSL mode work on a different port.  TLS connections work on the same
unsecure port, except that the talk is encrypted.

So, if you enabled SSL on port 12389, then:

LDAPTrustedMode SSL # If you run SSL, this is optional as you'll enable
this with the 'ldaps' url
...
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)

Or, if you are doing TLS, then:

LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS at
the end of the ldap url
...
AuthLDAPURL
ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)

Hope this helps...

My .02...

-- 

°(((=((===°°°(((===========================================