You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dave <ma...@hotmail.com> on 2011/05/05 05:24:27 UTC

[users@httpd] httpd <---> ldaps





Greetings.

I haven't had to administer Apache for about 6 or 7 years now, but recently jumped back into it to setup a subversion repository for developers.  I'm working on setting up subversion on Apache (Linux) to authenticate via ldaps to an Active Directory domain controller.  Front end subversion client accesses Apache successfully via https.  However, I cannot get Apache to talk ldaps while verifying the certs.  I've been banging my head against this thing for weeks now, and am beyond frustrated.  I've read & researched to no end - scoured the Internet - found others with a similar issue, but no fix yet.  Any help anyone could provide would be greatly appreciated.

Sincerely,
Dave

RHEL5.3 x86_64

RPMs:

httpd-2.2.3-45

mod_ssl-2.2.3-45

openssl-0.9.8e-12

openldap-2.3.43-12

subversion-1.6.11-7

mod_dav_svn-1.6.11-7



Active Directory - Windows Server 2003


Was already in httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Added to ssl.conf:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem
SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem
SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire

The following httpd.conf configuration works for authenticating via ldaps without verifying the certificates:

##############################
# Subversion config

LDAPVerifyServerCert off

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################


However, changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlobalCert pointing to CA cert (shown below) to verify the certificates gives me a 500 error in the subversion client (Tortoise), and the below error in ssl_error_log.  I also tried adding a second LDAPTrustedGlobalCert pointing to apache_server cert, to no avail.

httpd.conf:


##############################

# Subversion config


LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem   #####  Tried with and without this line
LDAPVerifyServerCert on

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################

ssl_error_log:
[Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap authenticate: user subversion_test authentication failed; URI /repos [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

I run "openssl s_client -CApath /etc/pki/CA/ -connect domain_controller.domain.com:636" and receive "Verify return code:  0 (ok)", so it appears the SSL handshake is fine outside of Apache:

CONNECTED(00000003)
depth=1 /DC=com/DC=domain/CN=domain_controller
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
   i:/DC=com/DC=domain/CN=domain_controller
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
issuer=/DC=com/DC=domain/CN=domain_controller
---
Acceptable client certificate CA names
/DC=com/DC=domain/CN=DOMAIN                  ##### <--- not sure why its returning CN=DOMAIN and not CN=domain_controller
...                                                                  ##### <--- the rest are standard CAs (Verisign, etc)
...
...
---
SSL handshake has read 4776 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1                                      ##### <--- also not sure why its stating TLSv1 protocol instead of SSL.
    Cipher    : RC4-MD5
    Session-ID: .........................................
    Session-ID-ctx:
    Master-Key: .........................................
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1304534983
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

read:errno=0