You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Harry Holt <ha...@gmail.com> on 2008/02/26 18:35:13 UTC
[users@httpd] SSL LDAP Connections on Win32
Okay, apparently, with the binary distribution of Apache 2.2 for Win32, it
is not possible to initialize an SSL connection to an LDAP server using
mod_ldap and mod_authnz_ldap.
During startup I get:
[info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set
using this method, as they are stored in the registry instead.
And if I try to initiate an SSL connection with an LDAP server I get:
[warn] [client 127.0.0.1] [8048] auth_ldap authenticate: user vec02
authentication failed; URI /svn [LDAP: an attempt to set LDAP_OPT_SSL on
failed.][Parameter Error]
So, my questions:
Am I crazy or is LDAP over SSL just not supported for this distribution?
and
If I'm not crazy, is there a binary distribution of aprutil-1.dll that will
support this (that anyone knows of) or will I have to figure out how to
compile it myself?
I appreciate any info and pointers.
Thx... HH
--
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Harry Holt <ha...@gmail.com>.
> >
> > Yes. I've used the Novell LDAP tool, JXplorer, and other tools for
> testing
> > (as well as my own Java, .NET, and the Novell CAPI and everything works
> fine
> > exception that Apache module.
>
> Not immediately clear to me how many of those use the same win32 ldap
> library (depends.exe would know for any native windows program, java
> and the novell stuff likely using their own lib...)
>
That would be exactly none of them. I'm sure the .NET library is than the
SDK Apache is compiled against. Which is why I was considering doing my own
compile, but compiling against the Novell SDK instead (which is supported by
the apr_utils). But I was hoping some fix for this was available, because I
really don't want to depart from the GA release.
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 28, 2008 at 8:30 AM, Harry Holt <ha...@gmail.com> wrote:
>
>
> On Thu, Feb 28, 2008 at 7:29 AM, Eric Covener <co...@gmail.com> wrote:
> >
> > On Wed, Feb 27, 2008 at 9:52 PM, Harry Holt <ha...@gmail.com> wrote:
> >
> > >
> > > TLS accept failure error=-1
> >
> > Are you able to connect to a secure ldap host with 'ldp.exe' or any
> > other MS-based tool? Have you taken any measures to add the issuer of
> > your LDAP servers certificate to the registry-based list mentioned by
> > the mod_ldap doc?
>
> Yes. I've used the Novell LDAP tool, JXplorer, and other tools for testing
> (as well as my own Java, .NET, and the Novell CAPI and everything works fine
> exception that Apache module.
Not immediately clear to me how many of those use the same win32 ldap
library (depends.exe would know for any native windows program, java
and the novell stuff likely using their own lib...)
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Harry Holt <ha...@gmail.com>.
On Thu, Feb 28, 2008 at 10:46 AM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Feb 28, 2008 at 8:30 AM, Harry Holt <ha...@gmail.com> wrote:
>
> > I'd start a bug report, but I have a feeling that *somebody* knows it
> > doesn't work, and knows why...
>
> I wouldn't bank on that, wrt ldap-on-windows. My hunch is still the
> certificate chain that Apache ultimately uses -- an actual packet
> capture on the wire (e.g. Wireshark) might have some handshake error
> or alert.
>
Well I was thinking it's likely, since whenever the ldap_mod is loaded, it
displays the message
[info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set
using this method, as they are stored in the registry instead.
Although, you would think that setting LDAPVerifyServerCert to off would get
around that limitation.
... HH
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 28, 2008 at 8:30 AM, Harry Holt <ha...@gmail.com> wrote:
> I'd start a bug report, but I have a feeling that *somebody* knows it
> doesn't work, and knows why...
I wouldn't bank on that, wrt ldap-on-windows. My hunch is still the
certificate chain that Apache ultimately uses -- an actual packet
capture on the wire (e.g. Wireshark) might have some handshake error
or alert.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Harry Holt <ha...@gmail.com>.
On Thu, Feb 28, 2008 at 7:29 AM, Eric Covener <co...@gmail.com> wrote:
> On Wed, Feb 27, 2008 at 9:52 PM, Harry Holt <ha...@gmail.com> wrote:
>
> >
> > TLS accept failure error=-1
>
> Are you able to connect to a secure ldap host with 'ldp.exe' or any
> other MS-based tool? Have you taken any measures to add the issuer of
> your LDAP servers certificate to the registry-based list mentioned by
> the mod_ldap doc?
Yes. I've used the Novell LDAP tool, JXplorer, and other tools for testing
(as well as my own Java, .NET, and the Novell CAPI and everything works fine
exception that Apache module.
> A packet capture of the attempted SSL handshake might be useful, but
> it seems just as likely that the LDAP SDK is blowing up internally.
> I know openldap can act this same way if you point it to a malformed
> CA cert -- it will actually do a tcp connection to the LDAP host,
> freak out about the cert, then promptly close it without having
> read/written a byte of data.
>
I've tried getting some packet captures at the ldap servers. Slapd shows
the connection start, an attempt to start up the negotiation, but it gets
rejected (apparently from the client). I've included that packet trace
below for your edification. It doesn't really provide much detail that's
useful.
I'd start a bug report, but I have a feeling that *somebody* knows it
doesn't work, and knows why...
Thx... HH
SLAPD Debug :
--------------------------------------------------------------------------------------------------------------------------------------
Feb 27 21:47:59 myserver slapd[19490]: >>> slap_listener(ldaps://)
Feb 27 21:47:59 myserver slapd[19490]: daemon: listen=7, new connection on
13
Feb 27 21:47:59 myserver slapd[19490]: daemon: added 13r (active)
listener=(nil)
Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 ACCEPT from IP=
192.168.1.53:4887 (IP=0.0.0.0:636)
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on:
Feb 27 21:47:59 myserver slapd[19490]: 13r
Feb 27 21:47:59 myserver slapd[19490]:
Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13)
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for
input on id=0
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on 1 descriptor
Feb 27 21:47:59 myserver slapd[19490]: daemon: activity on:
Feb 27 21:47:59 myserver slapd[19490]: 13r
Feb 27 21:47:59 myserver slapd[19490]:
Feb 27 21:47:59 myserver slapd[19490]: daemon: read active on 13
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13)
Feb 27 21:47:59 myserver slapd[19490]: connection_get(13): got connid=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): checking for
input on id=0
Feb 27 21:47:59 myserver slapd[19490]: connection_read(13): TLS accept
failure error=-1 id=0, closing
Feb 27 21:47:59 myserver slapd[19490]: connection_closing: readying conn=0
sd=13 for close
Feb 27 21:47:59 myserver slapd[19490]: connection_close: conn=0 sd=-1
Feb 27 21:47:59 myserver slapd[19490]: daemon: removing 13
Feb 27 21:47:59 myserver slapd[19490]: conn=0 fd=13 closed (TLS negotiation
failure)
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Feb 27 21:47:59 myserver slapd[19490]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
--
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Eric Covener <co...@gmail.com>.
On Wed, Feb 27, 2008 at 9:52 PM, Harry Holt <ha...@gmail.com> wrote:
>
> TLS accept failure error=-1
Are you able to connect to a secure ldap host with 'ldp.exe' or any
other MS-based tool? Have you taken any measures to add the issuer of
your LDAP servers certificate to the registry-based list mentioned by
the mod_ldap doc?
A packet capture of the attempted SSL handshake might be useful, but
it seems just as likely that the LDAP SDK is blowing up internally.
I know openldap can act this same way if you point it to a malformed
CA cert -- it will actually do a tcp connection to the LDAP host,
freak out about the cert, then promptly close it without having
read/written a byte of data.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Harry Holt <ha...@gmail.com>.
I have tried this same configuration on Windows Server 2003, as well as
Windows XP workstation. The results are essentially the same, but the error
is different:
[warn] [client 127.0.0.1] [3312] auth_ldap authenticate: user lizard
authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Server
Down]
... which actually seems less accurate, as the server isn't down - it just
won't start an SSL connection. When trying to connect through to an
openLDAP server, it only give a
TLS accept failure error=-1
I assume this means that it tried to establish a connection over TLS/SSL,
but the client (Apache ldap_mod) refused to cooperate. Looks like I'm
stuck.
Thx... HH
On Tue, Feb 26, 2008 at 1:12 PM, Harry Holt <ha...@gmail.com> wrote:
>
> On Tue, Feb 26, 2008 at 12:41 PM, Udo Rader <ud...@bestsolution.at>
> wrote:
>
> >
> > On Tue, 2008-02-26 at 12:35 -0500, Harry Holt wrote:
> > > Okay, apparently, with the binary distribution of Apache 2.2 for
> > > Win32, it is not possible to initialize an SSL connection to an LDAP
> > > server using mod_ldap and mod_authnz_ldap.
> > >
> > > During startup I get:
> > >
> > > [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be
> > > set using this method, as they are stored in the registry instead.
> > >
> > > And if I try to initiate an SSL connection with an LDAP server I get:
> > >
> > > [warn] [client 127.0.0.1] [8048] auth_ldap authenticate: user vec02
> > > authentication failed; URI /svn [LDAP: an attempt to set LDAP_OPT_SSL
> > > on failed.][Parameter Error]
> > >
> > > So, my questions:
> > >
> > > Am I crazy or is LDAP over SSL just not supported for this
> > > distribution? and
> > >
> > > If I'm not crazy, is there a binary distribution of aprutil-1.dll that
> > > will support this (that anyone knows of) or will I have to figure out
> > > how to compile it myself?
> > >
> > > I appreciate any info and pointers.
> >
> > ... maybe you should start by posting some configuration excerpts?
> >
> > --
> > Udo Rader
> >
> > bestsolution.at EDV Systemhaus GmbH
> > http://www.bestsolution.at
> >
> >
> > >
> >
>
> --
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Harry Holt <ha...@gmail.com>.
Ok, it's pretty basic:
ServerRoot "C:/Program Files/Apache Software Foundation/Apache2.2"
Listen 80
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_svn_module modules/svn/mod_dav_svn.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User daemon
Group daemon
</IfModule>
</IfModule>
ServerAdmin postmaster@localhost
DocumentRoot "D:/wwwroot/htdocs"
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
ErrorLog "logs/error.log"
#LogLevel warn
LogLevel debug
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access.log" common
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "C:/Program Files/Apache Software
Foundation/Apache2.2/cgi-bin/"
</IfModule>
DefaultType text/plain
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Certificate for conneccting to LDAP server (eDir)
# LDAPTrustedGlobalCert CA_DER conf/CACert.der
# LDAPTrustedMode SSL
#LDAPVerifyServerCert Off
<Directory "D:/wwwroot/htdocs">
AllowOverride All
Options FollowSymLinks Includes
Order allow,deny
Allow from all
</Directory>
# Subversion setup
<Location "/">
# LDAP Authentication & Authorization is final; do not check other
databases
AuthzLDAPAuthoritative OFF
AuthLDAPUrl ldaps://ldap.intranet.mysite/o=mysite?uid SSL
# Do basic password authentication (IN THE CLEAR!?) - no, not over SSL
AuthType Basic
AuthName "TEST Root directory"
AuthBasicProvider ldap
Require valid-user
</Location>
On Tue, Feb 26, 2008 at 12:41 PM, Udo Rader <ud...@bestsolution.at>
wrote:
>
> On Tue, 2008-02-26 at 12:35 -0500, Harry Holt wrote:
> > Okay, apparently, with the binary distribution of Apache 2.2 for
> > Win32, it is not possible to initialize an SSL connection to an LDAP
> > server using mod_ldap and mod_authnz_ldap.
> >
> > During startup I get:
> >
> > [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be
> > set using this method, as they are stored in the registry instead.
> >
> > And if I try to initiate an SSL connection with an LDAP server I get:
> >
> > [warn] [client 127.0.0.1] [8048] auth_ldap authenticate: user vec02
> > authentication failed; URI /svn [LDAP: an attempt to set LDAP_OPT_SSL
> > on failed.][Parameter Error]
> >
> > So, my questions:
> >
> > Am I crazy or is LDAP over SSL just not supported for this
> > distribution? and
> >
> > If I'm not crazy, is there a binary distribution of aprutil-1.dll that
> > will support this (that anyone knows of) or will I have to figure out
> > how to compile it myself?
> >
> > I appreciate any info and pointers.
>
> ... maybe you should start by posting some configuration excerpts?
>
> --
> Udo Rader
>
> bestsolution.at EDV Systemhaus GmbH
> http://www.bestsolution.at
>
>
> >
>
--
Harry Holt, PMP
Re: [users@httpd] SSL LDAP Connections on Win32
Posted by Udo Rader <ud...@bestsolution.at>.
On Tue, 2008-02-26 at 12:35 -0500, Harry Holt wrote:
> Okay, apparently, with the binary distribution of Apache 2.2 for
> Win32, it is not possible to initialize an SSL connection to an LDAP
> server using mod_ldap and mod_authnz_ldap.
>
> During startup I get:
>
> [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be
> set using this method, as they are stored in the registry instead.
>
> And if I try to initiate an SSL connection with an LDAP server I get:
>
> [warn] [client 127.0.0.1] [8048] auth_ldap authenticate: user vec02
> authentication failed; URI /svn [LDAP: an attempt to set LDAP_OPT_SSL
> on failed.][Parameter Error]
>
> So, my questions:
>
> Am I crazy or is LDAP over SSL just not supported for this
> distribution? and
>
> If I'm not crazy, is there a binary distribution of aprutil-1.dll that
> will support this (that anyone knows of) or will I have to figure out
> how to compile it myself?
>
> I appreciate any info and pointers.
... maybe you should start by posting some configuration excerpts?
--
Udo Rader
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
>