Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

WWWXXXAPC, docmd.close 2585, WWWXXXDOCO, nu vot, dhcpd lease file "binding state", WWWXXXDOCO, how to setup procmail to process html2text, how to setup procmail html2text, WWWXXXAPC., XXXCNZZZ

Links

XODOX
Impressum

#1: mod_ldap, mod_auth_ldap, SSL and Active Directory

Posted on 2005-02-16 15:49:16 by Mike Fischer

Hello there,

I'm trying to set up mod_auth_ldap to authenticate users via Active
Directory.

I got as far as that it'll work, if I don't use SSL for the ldap
connection to the AD-server.

In Detail:
I included LDAPTrustedCA and LDAPTrustedCAType in the httpd.conf
I set up an .htaccess-File Like this:
------------------------------------------------------------ -----------
AuthType Basic
AuthName LDAPAuth
AuthLDAPEnabled on
require valid-user
AuthLDAPURL
ldaps://aaa.bbb.ccc.ddd/dc=ipsi,dc=fraunhofer,dc=de?sAMAccou ntName?sub
AuthLDAPAuthoritative on
AuthLDAPBindDN cn=account,cn=whatever,dc=ipsi,dc=fraunhofer,dc=de
AuthLDAPBindPassword password
------------------------------------------------------------ -----------

If I try to access the directory, I get permission denied.
Here's the log entry:
[Wed Feb 02 15:02:43 2005] [warn] [client eee.fff.ggg.hhh] [13851]
auth_ldap authenticate: user thisuser authentication failed; URI /privat
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

It works ok if I use ldap: instead of ldaps: in the above mentioned
..htaccess file.

From reading the source I gather that the initial connection attempt
is probably failing.

I tried sniffing on the AD box, but with the SSL packets being
encrypted, that was no help.

Does anyone have an idea how I could dget more insight into this
situation?

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message

#2: RE: mod_ldap, mod_auth_ldap, SSL and Active Directory

Posted on 2005-02-16 16:28:34 by ccovington

> I got as far as that it'll work, if I don't use SSL for the=20
> ldap connection to the AD-server.

Is there a way you can specify which SSL version to use? As far as I
know Active Directory only supports SSLv3, not TLS.

---
Chris Covington
IT
Plus One Holdings, Inc.
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message

#3: Re: mod_ldap, mod_auth_ldap, SSL and Active Directory

Posted on 2005-02-17 11:49:57 by Mike Fischer

Covington, Chris wrote:
>>I got as far as that it'll work, if I don't use SSL for the
>>ldap connection to the AD-server.
>
>
> Is there a way you can specify which SSL version to use? As far as I
> know Active Directory only supports SSLv3, not TLS.
>
Nope, nothing to specify the SSL Version, at least not in the modules
mentioned.

Hmmm but that gets me thinking: Have I tried other ways to contact the
AD servers over an SSL link?
Lemme check that.

Another thing:
I read in knowledgebase article 314980 that there is such a thing as
debugging messages in a Windows Server that can be turned on and off.
Would anyone know which of the values I need to set to get debugging for
my problem? I tried 'LDAP connections' but that got me nothing of value.

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message

#4: Re: mod_ldap, mod_auth_ldap, SSL and Active Directory

Posted on 2005-05-02 16:21:59 by Mike Fischer

I solved the problem with mod_auth_ldap not working.

I had set up everything in a SuSE Vserver, and all I got was:
[Wed Feb 02 15:02:43 2005] [warn] [client eee.fff.ggg.hhh] [13851]
auth_ldap authenticate: user thisuser authentication failed; URI
/private [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

I had it set up on a 2.0.46 Apache that came with the old SuSE version
I used and also tried a spanking new 2.0.52, built from scratch.

One of our students got it running.
Here is what he tweaked to get it working:

- you need to set LDAPTrustedCA and LDAPTrustedCAType
- former needs to point to a BSE64 encoded certificate of the server
to be contacted
- latter needs to be 'BASE64_FILE'
- you can see that this is correctly set up by the startup message
in error_log stating
[Wed Apr 27 11:46:18 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Wed Apr 27 11:46:18 2005] [notice] LDAP: SSL support available

if this still doesn't let you authenticate, try editing
- /etc/openldap/ldap.conf
- TLS_REQCERT never

This is what made my day after months of argling about not being able
to get clear debugging: Neither strace nor turning up Apache's loglevel
wielded any reasonable output.

I hope this can help someone out there not get as frustrated about this
as me.

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Report this message