You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Asimananda Mohanty <as...@gmail.com> on 2009/09/18 07:55:11 UTC
[users@httpd] Regarding OpenLDAP Access From Apache
Hi All,
I am a new member in this group. I am facing an issue regarding openLDAP
access from apache http server and here are the details.
1. I have configured a openLDAP server configured with gnutls as can be seen
below :
========================================
ldd slapd
linux-gate.so.1 => (0xb7f6d000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d36000)
libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
/lib/ld-linux.so.2 (0xb7f6e000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
========================================
2. I have my apache http server sitting on a solaris 10 x86 machine. The
httpd.conf details are below (related to LDAP).
========================================
<Location />
SSLRequireSSL
AuthType Basic
AuthLDAPEnabled on
*AuthLDAPUrl
ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr?sub?(AppAttr=*)
*
AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
AuthLDAPBindPassword 12345678
AuthName realm1
Require valid-user
</Location>
========================================
3. I need to access the application GUI through apache and the user
authentication happens through LDAP. AppAttr is an user defined attribute
that controls the kind of controls the user can see on the GUI, e.g. admin
user can see all the controls and so on.
4. With the above settings in httpd.conf, the GUI access happens without any
issues.
5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
doesn't happen.
6. At first look, it may give an impression that SSL/TLS is not enabled on
my openLDAP server. But this is not the case.
7. Here is the command that gives perfect result and that can happen only if
SSL/TLS is enabled on the same.
========================================
ldapsearch -d8 -H ldaps://ldapcompany.com -b dc=ldapcompany,dc=com
uid=asimananda
OR
ldapsearch -d8 -ZZ -H ldap://ldapcompany.com -b dc=ldapcompany,dc=com
uid=asimananda
========================================
Both commands ask for a password and after the password is given, it shows
the result without fail.
Either of the commands can be used i.e. with ldaps url OR ldap url with -ZZ
option that forces TLS.
8. My issue is, if SSL/TLS is enabled on the openLDAP, why "ldaps" url
doesn't work from apache?
Please help me resolving the issue.
Regards
Asimananda
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Hi All,
Finally, I am able to solve the issue.
I just replaced the IP address used in AuthLDAPUrl with the hostname that
has been used during creating the certificate (CN) and that worked for me.
Thank you very much for all the support.
Regards
Asimananda
On Tue, Sep 22, 2009 at 12:23 PM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:
> Hi,
>
> I did run some openssl commands and here is what I saw.
>
> # openssl s_client -connect <ldap server ip>:636
>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
>
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> No client certificate CA names sent
> ---
> SSL handshake has read 1162 bytes and written 450 bytes
> ---
> Verify return code: 21 (unable to verify the first certificate)
>
>
> The same thing I got when I ran the command on local ldap server too.
>
> Are the certificates not OK? If this is so, how am I able to run ldapsearch
> with "ldaps" url on my local client?
>
> *THE CERTIFICATES ARE SELF SIGNED ONES. ARE THEY CREATING ISSUES FOR
> APACHE?*
>
> *When I had a look at the ethereal traces, I found some checksum error in
> Server Hello, certificate, server hello done, change cipher spec, Encrypted
> handshake message and Encrypted Alert message during TLS handshake. Is that
> a concern too?*
>
> Please comment.
>
> Regards
> Asimananda
>
>
> On Mon, Sep 21, 2009 at 6:12 PM, Peter Schober <peter.schober@univie.ac.at
> > wrote:
>
>> * Asimananda Mohanty <as...@gmail.com> [2009-09-21 14:37]:
>> > Should I assume that the certificate presented to apache is not the
>> correct
>> > one?
>> > But the same certificate works fine when I use it on my ldap server
>> where
>> > the ldap client is also installed.
>>
>> Get the ldap command line client to work on the same machine that
>> httpd is running on, that would be more relevant.
>> Probably settings things up in /etc/openldap/ldap.conf (or wherever
>> openldap client libs are looking, see `man ldap.conf`) will suffice.
>> -peter
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Hi,
I did run some openssl commands and here is what I saw.
# openssl s_client -connect <ldap server ip>:636
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
No client certificate CA names sent
---
SSL handshake has read 1162 bytes and written 450 bytes
---
Verify return code: 21 (unable to verify the first certificate)
The same thing I got when I ran the command on local ldap server too.
Are the certificates not OK? If this is so, how am I able to run ldapsearch
with "ldaps" url on my local client?
*THE CERTIFICATES ARE SELF SIGNED ONES. ARE THEY CREATING ISSUES FOR APACHE?
*
*When I had a look at the ethereal traces, I found some checksum error in
Server Hello, certificate, server hello done, change cipher spec, Encrypted
handshake message and Encrypted Alert message during TLS handshake. Is that
a concern too?*
Please comment.
Regards
Asimananda
On Mon, Sep 21, 2009 at 6:12 PM, Peter Schober
<pe...@univie.ac.at>wrote:
> * Asimananda Mohanty <as...@gmail.com> [2009-09-21 14:37]:
> > Should I assume that the certificate presented to apache is not the
> correct
> > one?
> > But the same certificate works fine when I use it on my ldap server where
> > the ldap client is also installed.
>
> Get the ldap command line client to work on the same machine that
> httpd is running on, that would be more relevant.
> Probably settings things up in /etc/openldap/ldap.conf (or wherever
> openldap client libs are looking, see `man ldap.conf`) will suffice.
> -peter
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Peter Schober <pe...@univie.ac.at>.
* Asimananda Mohanty <as...@gmail.com> [2009-09-21 14:37]:
> Should I assume that the certificate presented to apache is not the correct
> one?
> But the same certificate works fine when I use it on my ldap server where
> the ldap client is also installed.
Get the ldap command line client to work on the same machine that
httpd is running on, that would be more relevant.
Probably settings things up in /etc/openldap/ldap.conf (or wherever
openldap client libs are looking, see `man ldap.conf`) will suffice.
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Should I assume that the certificate presented to apache is not the correct
one?
But the same certificate works fine when I use it on my ldap server where
the ldap client is also installed.
Regards
Asimananda
On Mon, Sep 21, 2009 at 5:54 PM, Peter Schober
<pe...@univie.ac.at>wrote:
> * Asimananda Mohanty <as...@gmail.com> [2009-09-21 14:11]:
> > I can see client hello, server hello, certificate from server, server
> hello
> > done, encrypted handshake messages on my packet sniffer.
> > Well, I can see some checksum error in the server hello, certificate,
> > encrypted handshake messages.
> >
> > For all the above messages, port 636 on my ldap server has been
> > used.
>
> So the hypothesis of httpd not sending anything certainly is not
> justified. Back to getting ssl to work from httpd to slapd, I guess.
> -peter
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Peter Schober <pe...@univie.ac.at>.
* Asimananda Mohanty <as...@gmail.com> [2009-09-21 14:11]:
> I can see client hello, server hello, certificate from server, server hello
> done, encrypted handshake messages on my packet sniffer.
> Well, I can see some checksum error in the server hello, certificate,
> encrypted handshake messages.
>
> For all the above messages, port 636 on my ldap server has been
> used.
So the hypothesis of httpd not sending anything certainly is not
justified. Back to getting ssl to work from httpd to slapd, I guess.
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
I can see client hello, server hello, certificate from server, server hello
done, encrypted handshake messages on my packet sniffer.
Well, I can see some checksum error in the server hello, certificate,
encrypted handshake messages.
For all the above messages, port 636 on my ldap server has been used.
Regards
Asimananda
On Mon, Sep 21, 2009 at 5:32 PM, Peter Schober
<pe...@univie.ac.at>wrote:
> * André Warnier <aw...@ice-sa.com> [2009-09-21 13:51]:
> > If "ldaps" means "secure LDAP" (as in SSL), then all packets would
> > be encrypted, and your protocol analyser may just not be able to
> > detect them.
>
> Well, at least a TCP connect to (default) port 636 should be in the
> trace (not that I'm saying there is) or in the slapd logs.
> -peter
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Peter Schober <pe...@univie.ac.at>.
* André Warnier <aw...@ice-sa.com> [2009-09-21 13:51]:
> If "ldaps" means "secure LDAP" (as in SSL), then all packets would
> be encrypted, and your protocol analyser may just not be able to
> detect them.
Well, at least a TCP connect to (default) port 636 should be in the
trace (not that I'm saying there is) or in the slapd logs.
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by André Warnier <aw...@ice-sa.com>.
Asimananda Mohanty wrote:
> Hi,
> In continuation to my below mails :
>
> I snooped the packets and found that in case of "ldap" url, apache is
> sending bind request towards my ldap server whereas in case of "ldaps" url,
> no such bind request towards ldap server is seen.
Are you sure ?
If "ldaps" means "secure LDAP" (as in SSL), then all packets would be
encrypted, and your protocol analyser may just not be able to detect them.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Hi,
In continuation to my below mails :
I snooped the packets and found that in case of "ldap" url, apache is
sending bind request towards my ldap server whereas in case of "ldaps" url,
no such bind request towards ldap server is seen.
Regards
Asimananda
On Mon, Sep 21, 2009 at 12:52 PM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:
> Hi Eric,
> I have changed the permission level of the certificate presented to apache
> but still I have got no success.
>
> Here are the logs from my apache.
>
> During Startup :
> ----------------------------------------
>
> [Mon Sep 21 13:31:22 2009] [notice] LDAP: Built with OpenLDAP LDAP SDK
> [Mon Sep 21 13:31:22 2009] [notice] LDAP: SSL support available
>
> ----------------------------------------
>
> During Access :
> -----------------------------------------
>
> [Mon Sep 21 13:32:30 2009] [warn] [client 172.xx.xxx.xx] [10738] auth_ldap
> authenticate: user asimananda authentication failed; URI / [LDAP:
> ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> ----------------------------------------
>
> Here are the snapshots of my httpd.conf :
>
> -----------------------------------------------------------
>
> LoadModule galad_ldap_module modules/galad.so
>
> -- -- -- -- --
>
> LDAPTrustedCAType BASE64_FILE
> LDAPTrustedCA /certs/ca-cert.pem
>
> -----------------------------------------------------------
>
> Here is the permission of ca-cert.pem (given 777 to make sure that there is
> no permission issue)
>
> #ls -lrt /certs/ca-cert.pem
> -rwxrwxrwx 1 root root 1387 Sep 21 13:26 /certs/ca-cert.pem
>
>
> Can this be an issue of certificate or something else?
>
> Regards
> Asimananda
>
> On Mon, Sep 21, 2009 at 9:51 AM, Asimananda Mohanty <
> asimananda.mohanty@gmail.com> wrote:
>
>> Hi Eric,
>> Thanks for the reply.
>> In my case, the apache is built with openldap lib. I hope, in this case,
>> it shouldn't have shown any issues, please correct me if I am wrong.
>>
>> Regards
>> Asimananda
>>
>>
>> On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener <co...@gmail.com> wrote:
>>
>>> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
>>> <as...@gmail.com> wrote:
>>> > Hi All,
>>> > I am a new member in this group. I am facing an issue regarding
>>> openLDAP
>>> > access from apache http server and here are the details.
>>> > 1. I have configured a openLDAP server configured with gnutls as can be
>>> seen
>>> > below :
>>> > ========================================
>>> > ldd slapd
>>> > linux-gate.so.1 => (0xb7f6d000)
>>> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
>>> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
>>> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
>>> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
>>> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
>>> (0xb7d36000)
>>> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
>>> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
>>> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
>>> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
>>> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
>>> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
>>> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
>>> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
>>> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2
>>> (0xb7b7d000)
>>> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
>>> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
>>> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
>>> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
>>> > /lib/ld-linux.so.2 (0xb7f6e000)
>>> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
>>> > ========================================
>>> > 2. I have my apache http server sitting on a solaris 10 x86 machine.
>>> The
>>> > httpd.conf details are below (related to LDAP).
>>> > ========================================
>>> > <Location />
>>> > SSLRequireSSL
>>> > AuthType Basic
>>> > AuthLDAPEnabled on
>>> > AuthLDAPUrl
>>> >
>>> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr?sub?(AppAttr=*)
>>> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
>>> > AuthLDAPBindPassword 12345678
>>> > AuthName realm1
>>> > Require valid-user
>>> > </Location>
>>> > ========================================
>>> > 3. I need to access the application GUI through apache and the user
>>> > authentication happens through LDAP. AppAttr is an user defined
>>> attribute
>>> > that controls the kind of controls the user can see on the GUI, e.g.
>>> admin
>>> > user can see all the controls and so on.
>>> > 4. With the above settings in httpd.conf, the GUI access happens
>>> without any
>>> > issues.
>>> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
>>> > doesn't happen.
>>>
>>> Apache needs to be configured to trust the certificate presented by
>>> the LDAP server. See the cert-related directives in the manual.
>>>
>>>
>>> --
>>> Eric Covener
>>> covener@gmail.com
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Hi Eric,
I have changed the permission level of the certificate presented to apache
but still I have got no success.
Here are the logs from my apache.
During Startup :
----------------------------------------
[Mon Sep 21 13:31:22 2009] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Sep 21 13:31:22 2009] [notice] LDAP: SSL support available
----------------------------------------
During Access :
-----------------------------------------
[Mon Sep 21 13:32:30 2009] [warn] [client 172.xx.xxx.xx] [10738] auth_ldap
authenticate: user asimananda authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]
----------------------------------------
Here are the snapshots of my httpd.conf :
-----------------------------------------------------------
LoadModule galad_ldap_module modules/galad.so
-- -- -- -- --
LDAPTrustedCAType BASE64_FILE
LDAPTrustedCA /certs/ca-cert.pem
-----------------------------------------------------------
Here is the permission of ca-cert.pem (given 777 to make sure that there is
no permission issue)
#ls -lrt /certs/ca-cert.pem
-rwxrwxrwx 1 root root 1387 Sep 21 13:26 /certs/ca-cert.pem
Can this be an issue of certificate or something else?
Regards
Asimananda
On Mon, Sep 21, 2009 at 9:51 AM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:
> Hi Eric,
> Thanks for the reply.
> In my case, the apache is built with openldap lib. I hope, in this case, it
> shouldn't have shown any issues, please correct me if I am wrong.
>
> Regards
> Asimananda
>
>
> On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener <co...@gmail.com> wrote:
>
>> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
>> <as...@gmail.com> wrote:
>> > Hi All,
>> > I am a new member in this group. I am facing an issue regarding openLDAP
>> > access from apache http server and here are the details.
>> > 1. I have configured a openLDAP server configured with gnutls as can be
>> seen
>> > below :
>> > ========================================
>> > ldd slapd
>> > linux-gate.so.1 => (0xb7f6d000)
>> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
>> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
>> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
>> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
>> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
>> (0xb7d36000)
>> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
>> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
>> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
>> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
>> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
>> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
>> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
>> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
>> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
>> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
>> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
>> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
>> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
>> > /lib/ld-linux.so.2 (0xb7f6e000)
>> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
>> > ========================================
>> > 2. I have my apache http server sitting on a solaris 10 x86 machine. The
>> > httpd.conf details are below (related to LDAP).
>> > ========================================
>> > <Location />
>> > SSLRequireSSL
>> > AuthType Basic
>> > AuthLDAPEnabled on
>> > AuthLDAPUrl
>> >
>> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr?sub?(AppAttr=*)
>> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
>> > AuthLDAPBindPassword 12345678
>> > AuthName realm1
>> > Require valid-user
>> > </Location>
>> > ========================================
>> > 3. I need to access the application GUI through apache and the user
>> > authentication happens through LDAP. AppAttr is an user defined
>> attribute
>> > that controls the kind of controls the user can see on the GUI, e.g.
>> admin
>> > user can see all the controls and so on.
>> > 4. With the above settings in httpd.conf, the GUI access happens without
>> any
>> > issues.
>> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
>> > doesn't happen.
>>
>> Apache needs to be configured to trust the certificate presented by
>> the LDAP server. See the cert-related directives in the manual.
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Asimananda Mohanty <as...@gmail.com>.
Hi Eric,
Thanks for the reply.
In my case, the apache is built with openldap lib. I hope, in this case, it
shouldn't have shown any issues, please correct me if I am wrong.
Regards
Asimananda
On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener <co...@gmail.com> wrote:
> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
> <as...@gmail.com> wrote:
> > Hi All,
> > I am a new member in this group. I am facing an issue regarding openLDAP
> > access from apache http server and here are the details.
> > 1. I have configured a openLDAP server configured with gnutls as can be
> seen
> > below :
> > ========================================
> > ldd slapd
> > linux-gate.so.1 => (0xb7f6d000)
> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
> (0xb7d36000)
> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
> > /lib/ld-linux.so.2 (0xb7f6e000)
> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
> > ========================================
> > 2. I have my apache http server sitting on a solaris 10 x86 machine. The
> > httpd.conf details are below (related to LDAP).
> > ========================================
> > <Location />
> > SSLRequireSSL
> > AuthType Basic
> > AuthLDAPEnabled on
> > AuthLDAPUrl
> >
> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr?sub?(AppAttr=*)
> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
> > AuthLDAPBindPassword 12345678
> > AuthName realm1
> > Require valid-user
> > </Location>
> > ========================================
> > 3. I need to access the application GUI through apache and the user
> > authentication happens through LDAP. AppAttr is an user defined attribute
> > that controls the kind of controls the user can see on the GUI, e.g.
> admin
> > user can see all the controls and so on.
> > 4. With the above settings in httpd.conf, the GUI access happens without
> any
> > issues.
> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
> > doesn't happen.
>
> Apache needs to be configured to trust the certificate presented by
> the LDAP server. See the cert-related directives in the manual.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Regarding OpenLDAP Access From Apache
Posted by Eric Covener <co...@gmail.com>.
On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
<as...@gmail.com> wrote:
> Hi All,
> I am a new member in this group. I am facing an issue regarding openLDAP
> access from apache http server and here are the details.
> 1. I have configured a openLDAP server configured with gnutls as can be seen
> below :
> ========================================
> ldd slapd
> linux-gate.so.1 => (0xb7f6d000)
> libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
> liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
> libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
> libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
> libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d36000)
> libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
> libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
> libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
> libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
> libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
> libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
> libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
> libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
> libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
> libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
> libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
> libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
> /lib/ld-linux.so.2 (0xb7f6e000)
> libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
> ========================================
> 2. I have my apache http server sitting on a solaris 10 x86 machine. The
> httpd.conf details are below (related to LDAP).
> ========================================
> <Location />
> SSLRequireSSL
> AuthType Basic
> AuthLDAPEnabled on
> AuthLDAPUrl
> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr?sub?(AppAttr=*)
> AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
> AuthLDAPBindPassword 12345678
> AuthName realm1
> Require valid-user
> </Location>
> ========================================
> 3. I need to access the application GUI through apache and the user
> authentication happens through LDAP. AppAttr is an user defined attribute
> that controls the kind of controls the user can see on the GUI, e.g. admin
> user can see all the controls and so on.
> 4. With the above settings in httpd.conf, the GUI access happens without any
> issues.
> 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
> doesn't happen.
Apache needs to be configured to trust the certificate presented by
the LDAP server. See the cert-related directives in the manual.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org