You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike Benza <mi...@gmail.com> on 2008/11/02 17:57:06 UTC
Re: [users@httpd] LDAP hangs when trying to authenticate
Well, I've solved this problem with a lot of help. The issue is that
Apache's mod_ldap is ignoring "LDAPVerifyServerCert Off" I had to
replace that with:
LDAPTrustedMode SSL
LDAPVerifyServerCert On
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/Thawte_Premium_Server_CA.pem
(if you have the same problem, make sure you use the right CA
certificate...I'm not sure how to figure out which to use -- the person
who helped me told me)
- Mike Benza
Tod wrote:
> Mike Benza wrote:
>> Hello,
>>
>> I've been stuck with a problem where LDAP hangs when it's trying to
>> authenticate.
>>
>> I'm running Apache on Ubuntu 8.04, Hardy Heron. This problem occurs
>> with the Ubuntu version (both 32 and 64 bit) as well as compiled
>> directly from source. I can produce the problem in Apache 2.2.8
>> (from Ubuntu) and 2.2.10 (compiled from source). I posted about the
>> problem on ubuntuforums.org <http://ubuntuforums.org> a few weeks ago
>> but I didn't get any useful responses. I've searched the web
>> multiple times. Tonight I downloaded the source and built it, and I
>> still have the problem.
>>
>> I've a <Location> in a certain site that needs to be ldap
>> authenticated. It doesn't get authenticated. Here is the location:
>>
>> <Location /blah>
>> AuthzLDAPAuthoritative Off
>> AuthName "EWB Documents"
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthLDAPBindDN "cn=ewb,ou=Service Accounts,dc=rice,dc=edu"
>> AuthLDAPBindPassword *********
>> AuthLDAPURL "ldaps://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid
>> <http://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid>"
>>
>> <Limit GET POST PROPFIND OPTIONS REPORT>
>> Require valid-user
>> </Limit>
>> </Location>
>>
>> When I browse to http://site/blah, I get prompted for my username and
>> password. I've confirmed that this <Location> configuration is
>> causing the prompt, since when I remove the <Location>, I don't get
>> prompted for a username and password. After I type my username and
>> password in and click OK, nothing happens on the browser side. I can
>> watch my browser send my credentials back the server, and I can see
>> the beginning of an LDAP conversation using wireshark on the server.
>> However, after the conversation begins, it abruptly stops, and
>> nothing happens. It just sits there.
>>
>> I tested logging into the LDAP with a variation of the following
>> (using a hostname and port, but I don't remember the format and
>> switches now):
>> Code:
>>
>> ldapsearch -x -W -D "cn=ewb,ou=service accounts,dc=rice,dc=edu" -b
>> "ou=People,dc=rice,dc=edu" '(uid=XYZ)'
>>
>> It prompts me for my password (the ***s in the above apache
>> configuration), then finds the user named XYZ.
>>
>> So, in summary I can connect via ldaps and lookup a user at the
>> command line, but somewhere, apache fails.
>>
>> I turned logging in apache to debug, and discovered that ldap doesn't
>> log much:
>> Code:
>>
>> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
>> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
>> [Wed Sep 17 20:07:10 2008] [notice] suEXEC mechanism enabled
>> (wrapper: /usr/lib/apache2/suexec)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes
>> of entropy
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA
>> private keys (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH
>> parameters (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual)
>> servers for SSL
>> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against
>> Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
>> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
>> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
>> [Wed Sep 17 20:07:10 2008] [notice] Digest: generating secret for
>> digest authentication ...
>> [Wed Sep 17 20:07:10 2008] [notice] Digest: done
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
>> ewb.rice.edu <http://ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
>> wiki.ewb.rice.edu <http://wiki.ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
>> ewb.rice.edu <http://ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
>> [Wed Sep 17 20:07:10 2008] [info] LDAP: SSL support available
>> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes
>> of entropy
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA
>> private keys (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH
>> parameters (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(374):
>> shmcb_init allocated 512000 bytes of shared memory
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(554): entered
>> shmcb_init_memory()
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(576): for
>> 512000 bytes, recommending 4266 indexes
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(619):
>> shmcb_init_memory choices follow
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(621):
>> division_mask = 0x1F
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(623):
>> division_offset = 64
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(625):
>> division_size = 15998
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(627):
>> queue_size = 1604
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(629): index_num
>> = 133
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(631):
>> index_offset = 8
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(633):
>> index_size = 12
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(635):
>> cache_data_offset = 8
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(637):
>> cache_data_size = 14386
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(650): leaving
>> shmcb_init_memory()
>> [Wed Sep 17 20:07:10 2008] [info] Shared memory session cache
>> initialised
>> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual)
>> servers for SSL
>> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against
>> Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24788 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24788 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24789 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24789 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24790 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24790 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24791 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24791 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24792 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24792 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24793 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24793 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24794 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24794 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
>> scoreboard slot 0 in child 24795 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
>> initialized single connection worker 0 in child 24795 for (*)
>> [Wed Sep 17 20:07:10 2008] [notice] Apache/2.2.8 (Ubuntu) DAV/2
>> SVN/1.4.6 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8
>> OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 configu
>> red -- resuming normal operations
>>
>> Nothing is logged in the error log when I try to load the page
>> requiring my username and password.
>>
>> Now here is where it gets a bit more complicated: If it's hanging
>> waiting to authenticate and I restart apache, the authentication
>> succeeds, then apache restarts just fine.
>>
>> I don't know very much about the LDAP server. I know there are a
>> number of machines with apache that successfully authenticate against
>> this ldap.
>>
>> Has anyone had problems like this? Please help me. I can't find
>> anyone who knows enough about apache and ldap. I've been working at
>> this for weeks now. Thank you.
>>
>> - Mike Benza
>>
>
> Try doing the ldapsearch from the apache box to ldap.rice.edu to rule
> out firewall a issue.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org