Re: Apache 2.2 mod_ldap refusing to work over SSL/TLS (solved)
- From: Maxim Khitrov <mkhitrov@xxxxxxxxx>
- Date: Thu, 19 Nov 2009 20:44:40 -0500
On Thu, Nov 19, 2009 at 11:33 AM, Maxim Khitrov <mkhitrov@xxxxxxxxx> wrote:
Hello all,
Wasted many hours on this and am no closer to a solution. I'm trying
to get apache 2.2 on FreeBSD 7.2 to authenticate against our active
directory (Windows 2003).
The current status is that authentication works without problems when
SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections
to the server and run queries using the ldapsearch tool. Server
certificate verification works without any problems.
The relevant portions of ldap.conf and httpd.conf are identical, so if
I can use SSL and TLS with ldapsearch, there is no reason why it
shouldn't be working from apache. Just to be on the safe side, I've
turned off server certificate verification with 'LDAPVerifyServerCert
Off' directive.
So... Unencrypted authentication works, SSL authentication results in
"[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and
TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect
error]." I had nothing else to go on, so I decided to capture the
packets that are being sent between apache and active directory
servers. I then compared this packet capture with what ldapsearch does
(both using TLS).
In summary, ldapsearch and apache send an identical
LDAP_SERVER_START_TLS_OID command. In both cases, the server responds
with an identical "Result: Status: Success, MatchedDN: NULL,
ErrorMessage: NULL" packet. But while ldapsearch then goes on to the
certificate and key exchange phase, apache responds with
"OperationHeader: Unbind Request, 2(0x2)" and terminates the
connection.
As far as I can tell, it doesn't even get to the certificate
verification phase even though the STARTTLS command is successful.
Anyone have a clue on what could be causing this?
- Max
I love the simplest of problems that takes 12 hours to solve... It was
my mistake and a really dump one, but apache and openldap sure don't
make it easy to figure this out.
The next step after packet captures was to start digging through
source. I finally ended up in tls_o.c, which is part of OpenLDAP. The
whole problem had to do with the fact that the CA certificate I
specified was in a directory readable only by root. That would
certainly explain why ldapsearch worked without problems.
Unfortunately, the certificate is loaded just prior to establishing an
SSL or TLS connection. While one would expect an error for this
condition to be raised when apache is first started (basic validation
of LDAPTrustedGlobalCert directive), it actually manifests itself as a
cryptic "Connect error" message during authentication.
- Max
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: Bootcamp?
- Next by Date: Re: Bootcamp?
- Previous by thread: Bootcamp?
- Next by thread: problem with printer on pcbsd
- Index(es):
Relevant Pages
|
