You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Speagle, Andy" <an...@wichita.edu> on 2016/11/02 15:24:54 UTC

[users@httpd] apache 2.2 - mod_authnz_ldap with SSL/TLS in chrootdir

Hi Folks,

I'm having some issues getting SSL or TLS working with mod_authnz_ldap in my chroot'ed Apache 2.2 server on RHEL 6.8 ... it works without SSL just fine.  I'm using the built-in "ChrootDir" directive with Apache.  I seem to have all of the libraries, binaries and things in the chroot jail that Apache uses... but, I can't seem to get it to work... and I kinda need to know how best to troubleshoot this to figure out where the problem lies.

Inside and outside the chroot jail I can use ldapsearch with SSL just fine... so, I know the system can connect... I'm just getting tripped up on why Apache can't connect.  I get this very generic error in the logs:

[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

I have the global loglevel set to debug... but, this really isn't giving me much insight into the mod_authnz_ldap internals.  Can that be turned up?

Any help would be appreciated.

Thanks!

Andy Speagle

RE: [users@httpd] apache 2.2 - mod_authnz_ldap with SSL/TLS in chrootdir

Posted by Alexandru Duzsardi <al...@pitechnologies.ro>.

I think this might be a bug , i’ve also tested , even copied almost all the system files in the chrootdir but dint’ change anything.

TLS or SSL doesn’t work  but LDAP unencrypted does.

 

 

 

[Thu Nov 03 12:10:11.362994 2016] [core:trace3] [pid 3652] request.c(119): [client 10.0.1.110:58424] auth phase 'check user' gave status 401: /

[Thu Nov 03 12:10:11.363030 2016] [http:trace3] [pid 3652] http_filters.c(1006): [client 10.0.1.110:58424] Response sent with status 401, headers:

[Thu Nov 03 12:10:11.363035 2016] [http:trace5] [pid 3652] http_filters.c(1013): [client 10.0.1.110:58424]   Date: Thu, 03 Nov 2016 10:10:11 GMT

[Thu Nov 03 12:10:11.363038 2016] [http:trace5] [pid 3652] http_filters.c(1016): [client 10.0.1.110:58424]   Server: Apache/2.4.18 (Ubuntu)

[Thu Nov 03 12:10:11.363042 2016] [http:trace4] [pid 3652] http_filters.c(835): [client 10.0.1.110:58424]   WWW-Authenticate: Basic realm=\\"Restricted Zone\\"

[Thu Nov 03 12:10:11.363046 2016] [http:trace4] [pid 3652] http_filters.c(835): [client 10.0.1.110:58424]   Content-Length: 456

[Thu Nov 03 12:10:11.363049 2016] [http:trace4] [pid 3652] http_filters.c(835): [client 10.0.1.110:58424]   Keep-Alive: timeout=5, max=100

[Thu Nov 03 12:10:11.363052 2016] [http:trace4] [pid 3652] http_filters.c(835): [client 10.0.1.110:58424]   Connection: Keep-Alive

[Thu Nov 03 12:10:11.363055 2016] [http:trace4] [pid 3652] http_filters.c(835): [client 10.0.1.110:58424]   Content-Type: text/html; charset=iso-8859-1

[Thu Nov 03 12:10:11.363150 2016] [core:trace6] [pid 3652] core_filters.c(525): [client 10.0.1.110:58424] core_output_filter: flushing because of FLUSH bucket

[Thu Nov 03 12:10:16.368440 2016] [core:trace6] [pid 3652] core_filters.c(525): [client 10.0.1.110:58424] core_output_filter: flushing because of FLUSH bucket

[Thu Nov 03 12:10:18.329231 2016] [core:trace5] [pid 3649] protocol.c(616): [client 10.0.1.110:58427] Request received from client: GET / HTTP/1.1

[Thu Nov 03 12:10:18.329305 2016] [http:trace4] [pid 3649] http_request.c(394): [client 10.0.1.110:58427] Headers received from client:

[Thu Nov 03 12:10:18.329309 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Host: 10.0.6.57

[Thu Nov 03 12:10:18.329311 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Connection: keep-alive

[Thu Nov 03 12:10:18.329313 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Authorization: Basic dsfldjsflALALDSLDxdsfksdf

[Thu Nov 03 12:10:18.329315 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Upgrade-Insecure-Requests: 1

[Thu Nov 03 12:10:18.329316 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

[Thu Nov 03 12:10:18.329319 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

[Thu Nov 03 12:10:18.329321 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Accept-Encoding: gzip, deflate, sdch

[Thu Nov 03 12:10:18.329322 2016] [http:trace4] [pid 3649] http_request.c(398): [client 10.0.1.110:58427]   Accept-Language: en-US,en;q=0.8,ro;q=0.6

[Thu Nov 03 12:10:18.329379 2016] [authz_core:debug] [pid 3649] mod_authz_core.c(809): [client 10.0.1.110:58427] AH01626: authorization result of Require ldap-filter &(sAMAccountType=805306368)(memberof=CN=Users,DC=office,DC=lan): denied (no authenticated user yet)

[Thu Nov 03 12:10:18.329383 2016] [authz_core:debug] [pid 3649] mod_authz_core.c(809): [client 10.0.1.110:58427] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

[Thu Nov 03 12:10:18.329411 2016] [authnz_ldap:debug] [pid 3649] mod_authnz_ldap.c(516): [client 10.0.1.110:58427] AH01691: auth_ldap authenticate: using URL ldap://10.0.1.250/DC=office,DC=lan?sAMAccountName?sub

[Thu Nov 03 12:10:18.329418 2016] [authnz_ldap:trace1] [pid 3649] mod_authnz_ldap.c(537): [client 10.0.1.110:58427] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=username))

[Thu Nov 03 12:10:18.329780 2016] [ldap:trace5] [pid 3649] util_ldap.c(329): [client 10.0.1.110:58427] LDC 7fd88124b0a0 init

[Thu Nov 03 12:10:18.330912 2016] [ldap:trace5] [pid 3649] util_ldap.c(186): [client 10.0.1.110:58427] LDC 7fd88124b0a0 unbind

[Thu Nov 03 12:10:18.331003 2016] [authnz_ldap:info] [pid 3649] [client 10.0.1.110:58427] AH01695: auth_ldap authenticate: user username authentication failed; URI / [LDAP: ldap_start_tls_s() failed][Connect error]

[Thu Nov 03 12:10:18.331011 2016] [core:trace3] [pid 3649] request.c(119): [client 10.0.1.110:58427] auth phase 'check user' gave status 500: /

[Thu Nov 03 12:10:18.331043 2016] [http:trace3] [pid 3649] http_filters.c(1006): [client 10.0.1.110:58427] Response sent with status 500, headers:

[Thu Nov 03 12:10:18.331047 2016] [http:trace5] [pid 3649] http_filters.c(1013): [client 10.0.1.110:58427]   Date: Thu, 03 Nov 2016 10:10:18 GMT

[Thu Nov 03 12:10:18.331049 2016] [http:trace5] [pid 3649] http_filters.c(1016): [client 10.0.1.110:58427]   Server: Apache/2.4.18 (Ubuntu)

[Thu Nov 03 12:10:18.331051 2016] [http:trace4] [pid 3649] http_filters.c(835): [client 10.0.1.110:58427]   Content-Length: 607

[Thu Nov 03 12:10:18.331053 2016] [http:trace4] [pid 3649] http_filters.c(835): [client 10.0.1.110:58427]   Connection: close

[Thu Nov 03 12:10:18.331055 2016] [http:trace4] [pid 3649] http_filters.c(835): [client 10.0.1.110:58427]   Content-Type: text/html; charset=iso-8859-1

[Thu Nov 03 12:10:18.331063 2016] [core:trace6] [pid 3649] core_filters.c(525): [client 10.0.1.110:58427] core_output_filter: flushing because of FLUSH bucket

[Thu Nov 03 12:10:18.331137 2016] [core:trace6] [pid 3649] core_filters.c(525): [client 10.0.1.110:58427] core_output_filter: flushing because of FLUSH bucket

 

---- 

 

From: Luca Toscano [mailto:toscano.luca@gmail.com] 
Sent: Thursday, November 3, 2016 10:06 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] apache 2.2 - mod_authnz_ldap with SSL/TLS in chrootdir

 

Hi Andy,

 

2016-11-02 16:24 GMT+01:00 Speagle, Andy <andy.speagle@wichita.edu <ma...@wichita.edu> >:

Hi Folks,

 

I’m having some issues getting SSL or TLS working with mod_authnz_ldap in my chroot’ed Apache 2.2 server on RHEL 6.8 … it works without SSL just fine.  I’m using the built-in “ChrootDir” directive with Apache.  I seem to have all of the libraries, binaries and things in the chroot jail that Apache uses… but, I can’t seem to get it to work… and I kinda need to know how best to troubleshoot this to figure out where the problem lies.

 

Inside and outside the chroot jail I can use ldapsearch with SSL just fine… so, I know the system can connect… I’m just getting tripped up on why Apache can’t connect.  I get this very generic error in the logs:

 

[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

 

I have the global loglevel set to debug… but, this really isn’t giving me much insight into the mod_authnz_ldap internals.  Can that be turned up?

 

Any help would be appreciated.

 

 

(just to have more info) have you followed https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingssl setting all the required directives? 

 

What I'd try: 

1) Same config without the ChrootDir to see if anything changes.

2) A recent 2.4 version and Loglevel set to trace8.

3) GDB might help (https://httpd.apache.org/dev/debugging.html#gdb) but it requires digging into the source code.

 

If you want more people to help you could also send us the whole httpd configuration plus what you see in the error logs (not only the line reported above).

 

Hope that helps!

 

Luca

Re: [users@httpd] apache 2.2 - mod_authnz_ldap with SSL/TLS in chrootdir

Posted by Luca Toscano <to...@gmail.com>.

Hi Andy,

2016-11-02 16:24 GMT+01:00 Speagle, Andy <an...@wichita.edu>:

> Hi Folks,
>
>
>
> I’m having some issues getting SSL or TLS working with mod_authnz_ldap in
> my chroot’ed Apache 2.2 server on RHEL 6.8 … it works without SSL just
> fine.  I’m using the built-in “ChrootDir” directive with Apache.  I seem to
> have all of the libraries, binaries and things in the chroot jail that
> Apache uses… but, I can’t seem to get it to work… and I kinda need to know
> how best to troubleshoot this to figure out where the problem lies.
>
>
>
> Inside and outside the chroot jail I can use ldapsearch with SSL just
> fine… so, I know the system can connect… I’m just getting tripped up on why
> Apache can’t connect.  I get this very generic error in the logs:
>
>
>
> [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>
>
>
> I have the global loglevel set to debug… but, this really isn’t giving me
> much insight into the mod_authnz_ldap internals.  Can that be turned up?
>
>
>
> Any help would be appreciated.
>
>
>

(just to have more info) have you followed
https://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingssl setting
all the required directives?

What I'd try:
1) Same config without the ChrootDir to see if anything changes.
2) A recent 2.4 version and Loglevel set to trace8.
3) GDB might help (https://httpd.apache.org/dev/debugging.html#gdb) but it
requires digging into the source code.

If you want more people to help you could also send us the whole httpd
configuration plus what you see in the error logs (not only the line
reported above).

Hope that helps!

Luca