| View previous topic :: View next topic |
| Author |
Message |
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
 Posted: Tue Feb 15, 2005 12:50 am Post subject: Apache 2.0.52/mod_auth_ldap and Active Directory |
 |
|
I've been fighting with this all day without any useful answer. I've tried damn near everything in all the threads I've found like this on google with no luck, so hopefully somebody here might be able to offer some help. Trying to get Apache2 to authenticate again Active Directory. (Currently Win2k)
First, the .htaccess config:
| Code: | AuthLDAPEnabled on
AuthType Basic
AuthName "LDAP Auth Test"
#AuthLDAPBindDN "CN=Dylan Vanderhoof,OU=Engineering,OU=Operations,OU=Semaphore Users,DC=semaphore,DC=lan"
AuthLDAPBindDN "dylanv@semaphore.com"
AuthLDAPBindPassword "*******"
AuthLDAPURL "ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)"
require valid-user
|
I've used both DNs specified above with the following ldapsearch statement and it works fine there:
| Code: | | ldapsearch -LLL -H "ldap://dc1.semaphore.lan" -x -D "CN=Dylan Vanderhoof,OU=Engineering,OU=Operations,OU=Semaphore Users,DC=semaphore,DC=lan" -W -v -b "dc=semaphore,dc=lan" "(sAMAccountName=dylanv)" |
Here's the error messages I get from apache:
| Code: | [Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(701): [992] auth_ldap url parse: `ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)'
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(722): [992] auth_ldap url parse: Host: dc1.semaphore.lan
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(724): [992] auth_ldap url parse: Port: 389
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(726): [992] auth_ldap url parse: DN: dc=semaphore,dc=lan
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(728): [992] auth_ldap url parse: attrib: sAMAccountName
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(730): [992] auth_ldap url parse: scope: subtree
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(735): [992] auth_ldap url parse: filter: (objectClass=user)
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(800): LDAP: auth_ldap not using SSL connections
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(308): [client 192.168.1.68] [992] auth_ldap authenticate: using URL ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)
[Mon Feb 14 16:47:32 2005] [warn] [client 192.168.1.68] [992] auth_ldap authenticate: user dylanv authentication failed; URI /testdir [ldap_search_ext_s() for user failed][Operations error] |
Any ideas? Every similar thread I've found doesn't have an answer. I know I'm authenticating correct, since if I change the AuthLDAPBindDN to an invalid user, it fails with a bind failure error with invalid credentials.
Thanks!
-Dylan |
|
| Back to top |
|
 |
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6838
Location: Blighty
|
| Posted: Tue Feb 15, 2005 7:31 am Post subject: |
|
|
| Looks like you need to use ldaps:// instead of ldap:// in the URI |
|
| Back to top |
|
|
cselkirk
Apprentice
Joined: 09 Jun 2003
Posts: 199
Location: NL
|
| Posted: Tue Feb 15, 2005 9:37 am Post subject: |
|
|
| UberLord wrote: | | Looks like you need to use ldaps:// instead of ldap:// in the URI |
I would have thought the same, but given the OP was able to "ldapsearch ldap://" port 389 ("ldap://") must be listening. I have no experience with Active Directory so I can't comment ITR, my suspicion would be that mod_ldap is missing the LDAPTrustedCA directive (not seen in the above .htaccess, is it defined in your apache configuration?). The mod_ldap documentation states "It specifies the directory path and file name of the trusted CA mod_ldap should use when establishing an SSL connection to an LDAP server".
HTH
_________________
cn=cselkirk,dc=xs4all,dc=nl |
|
| Back to top |
|
|
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
| Posted: Tue Feb 15, 2005 6:18 pm Post subject: |
|
|
Yeah. I'll eventually try it with SSL, but that's a royal PITA with Active Directory, so until I can get it to work without being secure, there's no reason to screw with the SSL part yet.
I suppose I may have to use mod_auth_kerberos for the time being, but I'd prefer LDAP if I can make this work. |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6838
Location: Blighty
|
| Posted: Tue Feb 15, 2005 7:12 pm Post subject: |
|
|
cselkirk is right - you need the LDAPTrustedCA directive
I discovered this today as I had the same issue moving to ldaps://
What I don't know yet is if you get the same error on a TLS connection which would use the ldap:// URI |
|
| Back to top |
|
|
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
| Posted: Tue Feb 15, 2005 7:19 pm Post subject: |
|
|
| Ok, but that doesn't explain why I can't force mod_auth_ldap to use simple auth for testing, which is what I'm attempting here. I'll give a shot at doing TLS I suppose. |
|
| Back to top |
|
|
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
| Posted: Tue Feb 15, 2005 11:57 pm Post subject: |
|
|
Got it working.
mod_auth_ldap implies it can do simple authentication, but it doesn't appear to actually work with AD, despite what ldapsearch returned.
Pulling the CA Cert from AD and switching to ldaps solved the problem.
Thanks,
Dylan |
|
| Back to top |
|
|
frilled
Retired Dev
Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring
|
| Posted: Thu Jan 12, 2006 12:34 pm Post subject: |
|
|
Might you enlighten me on how to do this? I do have the AD certificate at hand , but how to do it?
First problem: from the supposedly supported three certificate types, only BASE64_FILE seems to work (if I use anything else, the log says BASE64_FILE is needed). So I base64-encoded my certificate, and at least I get "SSL support available" in the log now. I doubt it works, though, so that's probably the origin of the error below:
I then used | Code: | | AuthLDAPURL ldaps://my.server.dom/dc=server,dc=dom?sAMAccountName?sub?(objectClass=*) |
but still, all I get is
| Code: |
[Thu Jan 12 13:49:59 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jan 12 13:49:59 2006] [notice] LDAP: SSL support available
[Thu Jan 12 13:50:00 2006] [notice] Apache configured -- resuming normal operations
[Thu Jan 12 13:50:07 2006] [warn] [client a.b.c.d] [27103] auth_ldap authenticate: user myuser authentication failed; URI /suck/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
|
If I don't use ldaps://, I get
| Code: |
[Thu Jan 12 14:01:12 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jan 12 14:01:12 2006] [notice] LDAP: SSL support available
[Thu Jan 12 14:01:12 2006] [notice] Apache configured -- resuming normal operations
[Thu Jan 12 14:01:15 2006] [warn] [client a.b.c.d] [27243] auth_ldap authenticate: user myuser authentication failed; URI /suck/ [ldap_search_ext_s() for user failed][Operations error]
|
_________________
"Failure is not an option!"
"Sir, we are out of further options." |
|
| Back to top |
|
|
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
| Posted: Thu Jan 12, 2006 3:24 pm Post subject: |
|
|
Sure thing!
First, I had to add my CA cert to /etc/apache2/modules.d/46_mod_ldap
| Code: | <IfModule util_ldap.c>
LDAPTrustedCA /etc/ssl/certs/SemaphoreCA.pem
LDAPTrustedCAType BASE64_FILE
</IfModule util_ldap.c>
|
I never got things to work without LDAPS, but AD seems to require its CA cert be installed.
My .htaccess files look like this once that is setup:
| Code: |
AuthLDAPEnabled on
AuthType Basic
AuthName "Realm"
AuthLDAPBindDN "CN=LDAP Lookup,OU=Service Accounts,OU=Company Users,DC=company,DC=lan"
AuthLDAPBindPassword "********"
AuthLDAPURL "ldaps://dc2.company.lan dc1.company.lan/dc=company,dc=lan?sAMAccountName?sub?(objectClass=user)"
AuthLDAPGroupAttributeIsDN on
require group CN=Company People,OU=Company Security Groups,DC=company,DC=lan
|
HTH! Please let me know if that doesn't do it for you and I can probably help out a bit more.
-Dylan |
|
| Back to top |
|
|
frilled
Retired Dev
Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring
|
| Posted: Fri Jan 13, 2006 7:01 am Post subject: |
|
|
Hi!
Thanks for the quick reply. Unfortunately, it still doesn't work. I already had most of the configuration like in your example, and I am beginning to suspect that I am missing some very basic stuff here.
To recap: I exported our Trusted CA certificate (again) as BAES64 encoded and put it in /etc/ssl/certs (thanks for pointing me there  .
I have OpenLDAP and apache2 installed, and start with -D LDAP and -D AUTH_LDAP. The log says
| Code: | [Fri Jan 13 07:46:03 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Fri Jan 13 07:46:03 2006] [notice] LDAP: SSL support available
[Fri Jan 13 07:46:03 2006] [notice] Apache configured -- resuming normal operations |
so I guess that's okay.
I can do ldapsearch as much as I want, but _only_ if I have an "ldap://...." URI set up in /etc/openldap/ldap.conf. If I change that to "ldaps://.....", I get
| Code: | ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed |
Which is why I don't wonder that I can't get it working with apache 
I tried with | Code: | | TLS_CACERTDIR /etc/ssl/certs |
in /etc/openldap/ldap.conf, but that doesn't change a thing.
So my problem is very basic, I suppose. Do I have to setup any slapd config (and if, which one, the one in /etc/openldap or in /etc/conf.d)?
Excuse my dumb asking, but LDAP is something I know virtually nothing about  )
_________________
"Failure is not an option!"
"Sir, we are out of further options." |
|
| Back to top |
|
|
Llarian
n00b
Joined: 13 Mar 2004
Posts: 15
|
| Posted: Fri Jan 13, 2006 3:51 pm Post subject: |
|
|
Nope, you don't need slapd for the client. Have you tried doing tcpdump and/or ssldump on the traffic to see what's happening?
I honestly don't recall how I finally fixed this, as its been a while. Since I got it to work once, its "Just Worked(TM)" since then.
Silly thought, but make sure the apache user has permissions to read the CA Cert, and that its ASCII armored?
-D |
|
| Back to top |
|
|
frilled
Retired Dev
Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring
|
| Posted: Mon Jan 16, 2006 6:09 am Post subject: |
|
|
| Quote: | | Nope, you don't need slapd for the client. Have you tried doing tcpdump and/or ssldump on the traffic to see what's happening? |
Since I really don't know much about LDAP, I didn't think it would help. Maybe I'll strace/tcpdump it, but I doubt it's actually going to provide lots of insight.
| Quote: | | Silly thought, but make sure the apache user has permissions to read the CA Cert, and that its ASCII armored? |
Permissions shouldn't be a problem (644 like the others). By accident I found out about the virtually undocumented "c_rehash" command and used it, so the certificate also has a hash softlink now. And yes, I exported it as base64 encoded, which is easily verified by looking at the file itself.
I'm still at a loss here - thanks for your help, though. Problem is that I can't use winbindd->PAM authentication, since winbindd in ADS mode leaks memory like raging hell (has been since 3.0.8 I believe, and even the newest one doesn't work). I'll poke around some more.
_________________
"Failure is not an option!"
"Sir, we are out of further options." |
|
| Back to top |
|
|
frilled
Retired Dev
Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring
|
| Posted: Mon Jan 16, 2006 8:22 am Post subject: Got it! |
|
|
Hm, looks like I found it. To get the ldapsearch working with ldaps://, I put
| Code: | | TLS_CACERTDIR /etc/ssl/certs |
in /etc/openldap/ldap.conf.
That also made the Apache module work 
Now the last hurdle is to get it working with arbitrary groups (so far, only "require valid-user" worked).
[edit: works!]
Also, the lookup seems to take quite a while; there's a pause of 1-2 seconds after I send the credentials from browser to server ...
_________________
"Failure is not an option!"
"Sir, we are out of further options." |
|
| Back to top |
|
|
BigBeer
n00b
Joined: 18 Oct 2004
Posts: 40
|
| Posted: Tue Apr 25, 2006 4:54 pm Post subject: |
|
|
Did you guys actually get TLS working with mod_auth_ldap against AD??
I have SSL working, but I would like to go the extra mile and setup TLS.
Currently I have:
mm_mod_auth_ldap3.08 compiled from source
My AD CA cert in /etc/ssl/certs
My apache server cert signed by the AD CA
my /etc/openldap/ldap.conf is
| Code: |
TLS_CACERT /etc/ssl/certs/ADCAcert.pem
TLS_REQCERT demand
|
I have a ldaprc as
| Code: |
TLS_CERT /etc/apache2/ssl/server.crt
TLS_KEY /etc/apache2/ssl/server.key
|
and in /usr/lib/apache2/build/envvars
(to set the envvar as per the mod_auth_ldap doc)
| Code: |
LDAPCONF=/etc/apache2/ldaprc
export LDAPCONF
|
The config for mod_auth_ldap is
| Code: |
<Location /svn>
DAV svn
SVNPath /mnt/svn/
AuthName "Subversion repository"
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
LDAP_Protocol_Version 3
LDAP_StartTLS On
LDAP_OpenLDAP_Initialize On
LDAP_Server ad1.my.domain.com
Base_DN "DC=my,DC=domain,DC=com"
Bind_DN "CN=adreader,CN=users,DC=my,DC=domain,DC=com"
Bind_Pass "password"
UID_Attr "samaccountname"
Require valid-user
SSLRequireSSL
</Location>
|
This doesn't work  I always get
| Code: |
mm_mod_auth_ldap.c (5315) - Could not initialize OpenLDAP SDK connection, LDAP server ad1.my.domain.com - Operations error (1)
|
In my Apache logs.
If I change my apache config to say
| Code: |
LDAP_Server ldaps://ad1.my.domain.com:636
|
Then in my apache logs I get
| Code: |
mm_mod_auth_ldap.c (5428) - Starting TLS failed (-4): Decoding error
|
It is crazy though, because just using open ssl to connect to the ad server I can see the handshake work.
Using:
| Code: |
openssl s_client -connect ad01.my.domain.com:636 -state \
-CAfile /etc/ssl/certs/ADCAcert.pem \
-cert /etc/apache2/ssl/server.crt \
-key /etc/apache2.ssl.server.key
|
The handshake will fail if I use port 389
Attempting to ldapsearch doesn't work:
| Code: |
ldapsearch -ZZ -H ldaps://ad01.my.domain.com -x -b "dc=my,dc=domain,dc=com" "(sn=doe)" -d 1
ldap_create
ldap_url_parse_ext(ldaps://ad01.my.domain.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ad01.my.domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.2:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01, issuer: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01
TLS certificate verification: depth: 0, err: 0, subject: /CN=ad01.my.domain.com, issuer: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ad01.my.domain.com port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Apr 25 12:49:31 2006
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 22 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_msgfree
ldap_perror
ldap_start_tls: Decoding error (-4)
|
Since I can get it to work with openssl, I am thinking that I have something messed up with my openldap config.
Any thoughts?
Thanks!
--BigBeer
-- edit --
I forgot to add, that eventhough I see these errors, I still seem to be able to auth to AD, and from my packetdumps it appears to be encrypted. |
|
| Back to top |
|
|
frilled
Retired Dev
Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring
|
| Posted: Wed Apr 26, 2006 7:26 am Post subject: |
|
|
Hm, I didn't have time to check out what you wrote in detail, jsut a quick thought though - did you run "c_rehash" after putting the certificate in /etc/ssl/certs dir?
I'll have a more detailed look later, but I hope there's more knowledge around than mine ...
_________________
"Failure is not an option!"
"Sir, we are out of further options." |
|
| Back to top |
|
|
BigBeer
n00b
Joined: 18 Oct 2004
Posts: 40
|
| Posted: Wed Apr 26, 2006 2:17 pm Post subject: |
|
|
| wgi wrote: | Hm, I didn't have time to check out what you wrote in detail, jsut a quick thought though - did you run "c_rehash" after putting the certificate in /etc/ssl/certs dir?
I'll have a more detailed look later, but I hope there's more knowledge around than mine ... |
Thanks for the tip, but I have already run c_rehash. I can verify my certs using openssl too.
Well I kepts trolling goolge for "Active Directory TLS" and came accross a post on the sun java development forums about java code to do user manipulation over ldap to active directory.
In the post, the author clearly states
[qoute]
Note that Windows 2000 Domain Controllers do not support TLS.
[/quote]
And he has 2 different code samples, 1 with ssl for win2000 and 1 with tls for win 2003.
Since all my domain controllers are win2000 I am starting to think that TLS is not an option
Can anyone else verify this?
--
BigBeer |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
