You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dave <ma...@hotmail.com> on 2011/05/05 05:24:27 UTC
[users@httpd] httpd <---> ldaps
Greetings.
I haven't had to administer Apache for about 6 or 7 years now, but recently jumped back into it to setup a subversion repository for developers. I'm working on setting up subversion on Apache (Linux) to authenticate via ldaps to an Active Directory domain controller. Front end subversion client accesses Apache successfully via https. However, I cannot get Apache to talk ldaps while verifying the certs. I've been banging my head against this thing for weeks now, and am beyond frustrated. I've read & researched to no end - scoured the Internet - found others with a similar issue, but no fix yet. Any help anyone could provide would be greatly appreciated.
Sincerely,
Dave
RHEL5.3 x86_64
RPMs:
httpd-2.2.3-45
mod_ssl-2.2.3-45
openssl-0.9.8e-12
openldap-2.3.43-12
subversion-1.6.11-7
mod_dav_svn-1.6.11-7
Active Directory - Windows Server 2003
Was already in httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Added to ssl.conf:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem
SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem
SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire
The following httpd.conf configuration works for authenticating via ldaps without verifying the certificates:
##############################
# Subversion config
LDAPVerifyServerCert off
<Location /repos>
DAV svn
SVNPath /opt/local/svn/repos
SSLRequireSSL
Order deny,allow
Deny from All
AuthName "Subversion Repository"
AuthType Basic
AuthBasicProvider ldap
Satisfy any
Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "password"
</Location>
CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
##############################
However, changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlobalCert pointing to CA cert (shown below) to verify the certificates gives me a 500 error in the subversion client (Tortoise), and the below error in ssl_error_log. I also tried adding a second LDAPTrustedGlobalCert pointing to apache_server cert, to no avail.
httpd.conf:
##############################
# Subversion config
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem ##### Tried with and without this line
LDAPVerifyServerCert on
<Location /repos>
DAV svn
SVNPath /opt/local/svn/repos
SSLRequireSSL
Order deny,allow
Deny from All
AuthName "Subversion Repository"
AuthType Basic
AuthBasicProvider ldap
Satisfy any
Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL
AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword "password"
</Location>
CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
##############################
ssl_error_log:
[Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap authenticate: user subversion_test authentication failed; URI /repos [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
I run "openssl s_client -CApath /etc/pki/CA/ -connect domain_controller.domain.com:636" and receive "Verify return code: 0 (ok)", so it appears the SSL handshake is fine outside of Apache:
CONNECTED(00000003)
depth=1 /DC=com/DC=domain/CN=domain_controller
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
i:/DC=com/DC=domain/CN=domain_controller
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
issuer=/DC=com/DC=domain/CN=domain_controller
---
Acceptable client certificate CA names
/DC=com/DC=domain/CN=DOMAIN ##### <--- not sure why its returning CN=DOMAIN and not CN=domain_controller
... ##### <--- the rest are standard CAs (Verisign, etc)
...
...
---
SSL handshake has read 4776 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1 ##### <--- also not sure why its stating TLSv1 protocol instead of SSL.
Cipher : RC4-MD5
Session-ID: .........................................
Session-ID-ctx:
Master-Key: .........................................
Key-Arg : None
Krb5 Principal: None
Start Time: 1304534983
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0