You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by vr <ap...@iotk.net> on 2010/02/22 18:40:30 UTC
[users@httpd] SSL between Apache and ldap
I'm trying to enable SSL encryption between apache2 and ldap of
Microsoft's Active Directory 2008 so password authentication is not sent in
clear text during the 2nd hop of https connections.
I've installed apache2 on a Debian Lenny i386 system using Debian's
prebuilt apache2, ldap and ssl-cert packages.
I've enabled the distributions included apache2 modules ldap and
authnz_ldap.
I've read Microsoft docs which states ldaps is enabled by default.
I've confirmed the active directory server port 636 is open via netstat.
I've confirmed using nmap that the active directory server shows port 636
open, un-firewalled.
In my apache2 config, if I use:
"ldap://adserver.domain.tld:389/DC=domain,DC=tld?sAMAccountname?sub?(objectClass=*)"
NONE
I can successfully make connections to https://myserver.domain.tld using
an active directory account. The account is authenticated but my
understanding is that communication from apache2 to ldap will be sent in
plain text.
In my apache2 config, if I try to use:
"ldaps://adserver.domain.tld:636/DC=domain,DC=tld?sAMAccountname?sub?(objectClass=*)"
SSL
the authentication fails, per my error.log with:
"authentication failed; URi / [LDAP: ldap_simple_bind_s() failed]Can't
contact LDAP server]".
Are there additional pieces needed for this to work?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: [Spam] Re: [users@httpd] SSL between Apache and ldap
Posted by Nathan Bird <na...@acceleration.net>.
On 2/22/2010 2:51 PM, vr wrote:
> On Mon, 22 Feb 2010 12:51:30 -0500, Eric Covener wrote:
>
>>> In my apache2 config, if I try to use:
>>>
>>>
> "ldaps://adserver.domain.tld:636/DC=domain,DC=tld?sAMAccountname?sub?(objectClass=*)"
>
>>> SSL
>>> the authentication fails, per my error.log with:
>>> "authentication failed; URi / [LDAP: ldap_simple_bind_s() failed]Can't
>>> contact LDAP server]".
>>>
>>> Are there additional pieces needed for this to work?
>>>
>> LDAPTrustedGlobalCert or LDAPVerifyServerCert?
>>
>
> Thanks. I'm having a hard time finding an explanation that makes sense to
> me of how the ldaps layer (tier?) works as opposed to the https layer...
> Do the attributes for either of those need to point to the same certificate
> being used at the front end https server's auths? Or does there need to be
> a new certificate created just for the ldaps communication back to active
> directory?
>
When setting up the SSL connection from apache to ldap it will verify
that the ldap server is in fact the one you want to talk to-- this is
only true if LDAPVerifyServerCert is true, which it should be or someone
could impersonate your LDAP server subverting the authnz. Turning
LDAPVerifyServerCert off is one way to check you have everything else
working and just need to solve the certificate problem.
HOW it verifies the ldap server is correct is through
LDAPTrustedGlobalCert.
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldaptrustedglobalcert Your
LDAP server(e.g. adserver.domain.tld) needs to have an SSL Certificate
configured. While the principal of SSL certificates is the same( i.e.
the common name of the cert needs to match the dns name of the ldap
server) it is not the same name/certificate as the apache server's.
LDAPTrustedGlobalCert should point at the public CertificateAuthority
certificate that signed adserver.domain.tld's certificate. E.g.
verisign's. VERY IMPORTANTLY this file is only read AFTER apache
startup once it has switched user to www-data so that user needs to be
able to read this certificate.
If you have the openssl command line you can use something like this to
check it:
openssl s_client -connect ldap.example.com:636 -verify 1 -CAfile
<LDAPTrustedGlobalCert>
If you have things correct, it should tell you "Verify return code: 0 (ok)"
--
Nathan Bird
nathan@acceleration.net
http://www.acceleration.net/
Custom Programming, Design, Hosting, and Broadband.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL between Apache and ldap
Posted by vr <ap...@iotk.net>.
On Mon, 22 Feb 2010 12:51:30 -0500, Eric Covener wrote:
>> In my apache2 config, if I try to use:
>>
"ldaps://adserver.domain.tld:636/DC=domain,DC=tld?sAMAccountname?sub?(objectClass=*)"
>> SSL
>> the authentication fails, per my error.log with:
>> "authentication failed; URi / [LDAP: ldap_simple_bind_s() failed]Can't
>> contact LDAP server]".
>>
>> Are there additional pieces needed for this to work?
>
> LDAPTrustedGlobalCert or LDAPVerifyServerCert?
Thanks. I'm having a hard time finding an explanation that makes sense to
me of how the ldaps layer (tier?) works as opposed to the https layer...
Do the attributes for either of those need to point to the same certificate
being used at the front end https server's auths? Or does there need to be
a new certificate created just for the ldaps communication back to active
directory?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL between Apache and ldap
Posted by Eric Covener <co...@gmail.com>.
> In my apache2 config, if I try to use:
> "ldaps://adserver.domain.tld:636/DC=domain,DC=tld?sAMAccountname?sub?(objectClass=*)"
> SSL
> the authentication fails, per my error.log with:
> "authentication failed; URi / [LDAP: ldap_simple_bind_s() failed]Can't
> contact LDAP server]".
>
> Are there additional pieces needed for this to work?
LDAPTrustedGlobalCert or LDAPVerifyServerCert?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org