You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Francois Pernet <Fr...@idsa.ch> on 2009/11/13 06:59:46 UTC
[users@httpd] mod_authnz_ldap with wildcard certificate
hi all,
Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ...
I verified that certificate contains :
Subject : ....*.domain.com
X509v3 Subject Alternative Name:
DNS:*.domain.com, DNS:domain.com
Is there any known issue with wildcard certificates ?
How proper should be the syntax in order to use it ?
Thx in advance
Re: [users@httpd] mod_authnz_ldap with wildcard certificate
Posted by Eric Covener <co...@gmail.com>.
On Fri, Nov 13, 2009 at 9:03 AM, Francois Pernet
<Fr...@idsa.ch> wrote:
> Ok I can also post this question on openldap forum, but :
> - my main question is : is there anybody 's running wilcard certificates for
> LDAPs authentication under Apache ?
> - configuration for openldap is different than inside the mod_ldap (only few
> directives in mod_ldap) so what if I can make it work with Openldap ? (which
> is the case but without cetificate validation).
Wouldn't this be LDAPVerifyServerCert?
if you know the openldap you're using can't verify the cert, there's
not much sense in putting out a query to other Apache users.
If your openldap is linked with gnutls, try one linked with openssl?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap with wildcard certificate
Posted by Francois Pernet <Fr...@idsa.ch>.
Ok I can also post this question on openldap forum, but :
- my main question is : is there anybody 's running wilcard certificates for LDAPs authentication under Apache ?
- configuration for openldap is different than inside the mod_ldap (only few directives in mod_ldap) so what if I can make it work with Openldap ? (which is the case but without cetificate validation).
-francois
>>> Peter Schober <pe...@univie.ac.at> 13.11.2009 14:02 >>>
* Francois Pernet <Fr...@idsa.ch> [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.
I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap with wildcard certificate
Posted by Peter Schober <pe...@univie.ac.at>.
* Francois Pernet <Fr...@idsa.ch> [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.
I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_authnz_ldap with wildcard certificate
Posted by Francois Pernet <Fr...@idsa.ch>.
Hi,
you are right... more details ...
I must also specify that apache in SSL (https) is working fine with
these certificates ...I do not say this is an apache problem, but more
on the ldap module and certainly on the libraries under ...
A) Apache
Syntax inside Apache :
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_DER
/etc/apache2/ssl.apa/Comodo_Apache.cer
In this case, this is the certificate (Since i am autehnticating
against Novell edirectory, sometimes it requests the server certicate
itself as the CA). But i also used the CA cert from Comodo and it's the
same.
Error in apache log is only (and my server is available, of course):
[Fri Nov 13 07:37:53 2009] [warn] [client 192.168.10.171] [21099]
auth_ldap authenticate: user fpe authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]
B) Tests with OpenLdap
ldap.conf is :
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.txt
TLS_CERT /etc/openldap/certs/server.cer
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
TLS_REQCERT never
Testing with :
ldapsearch -H ldaps://myserver -D cn=binduser,ou=myou,o=idsa -W -x
"(cn=thisobject)"
Doesn't work. Only by putting TLS_REQCERT never in ldap.conf i can use
LDAPs (but without any cert validation in this case ... bad ;-()
hope this help. thx
>>> Emmanuel Bailleul <Em...@telindus.fr> 13.11.2009 08:40
>>>
>De : Francois Pernet [mailto:Francois.Pernet@idsa.ch]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users@httpd.apache.org
>Objet : [users@httpd] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with
LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The
authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
> DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance
Hi,
How can you be sure this is an Apache problem ? Did you try first "by
hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of
the Apache logs when it fails ?
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_authnz_ldap with wildcard certificate
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>De : Francois Pernet [mailto:Francois.Pernet@idsa.ch]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users@httpd.apache.org
>Objet : [users@httpd] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
> DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance
Hi,
How can you be sure this is an Apache problem ? Did you try first "by hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of the Apache logs when it fails ?
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org