mod_ldap, mod_auth_ldap, SSL and Active Directory

Hello there,

I'm trying to set up mod_auth_ldap to authenticate users via Active
Directory.

I got as far as that it'll work, if I don't use SSL for the ldap
connection to the AD-server.

In Detail:
I included LDAPTrustedCA and LDAPTrustedCAType in the httpd.conf
I set up an .htaccess-File Like this:
------------------------------------------------------------ -----------
AuthType Basic
AuthName LDAPAuth
AuthLDAPEnabled on
require valid-user
AuthLDAPURL
ldaps://aaa.bbb.ccc.ddd/dc=ipsi,dc=fraunhofer,dc=de?sAMAccou ntName?sub
AuthLDAPAuthoritative on
AuthLDAPBindDN cn=account,cn=whatever,dc=ipsi,dc=fraunhofer,dc=de
AuthLDAPBindPassword password
------------------------------------------------------------ -----------

If I try to access the directory, I get permission denied.
Here's the log entry:
[Wed Feb 02 15:02:43 2005] [warn] [client eee.fff.ggg.hhh] [13851]
auth_ldap authenticate: user thisuser authentication failed; URI /privat
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

It works ok if I use ldap: instead of ldaps: in the above mentioned
..htaccess file.

From reading the source I gather that the initial connection attempt
is probably failing.

I tried sniffing on the AD box, but with the SSL packets being
encrypted, that was no help.

Does anyone have an idea how I could dget more insight into this
situation?

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: mod_ldap, mod_auth_ldap, SSL and Active Directory

> I got as far as that it'll work, if I don't use SSL for the=20
> ldap connection to the AD-server.

Is there a way you can specify which SSL version to use? As far as I
know Active Directory only supports SSLv3, not TLS.

---
Chris Covington
IT
Plus One Holdings, Inc.
75 Maiden Lane Suite 801
NY, NY 10038
646-312-6269
http://www.plusoneactive.com


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_ldap, mod_auth_ldap, SSL and Active Directory

Covington, Chris wrote:
>>I got as far as that it'll work, if I don't use SSL for the
>>ldap connection to the AD-server.
>
>
> Is there a way you can specify which SSL version to use? As far as I
> know Active Directory only supports SSLv3, not TLS.
>
Nope, nothing to specify the SSL Version, at least not in the modules
mentioned.

Hmmm but that gets me thinking: Have I tried other ways to contact the
AD servers over an SSL link?
Lemme check that.

Another thing:
I read in knowledgebase article 314980 that there is such a thing as
debugging messages in a Windows Server that can be turned on and off.
Would anyone know which of the values I need to set to get debugging for
my problem? I tried 'LDAP connections' but that got me nothing of value.

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_ldap, mod_auth_ldap, SSL and Active Directory

I solved the problem with mod_auth_ldap not working.

I had set up everything in a SuSE Vserver, and all I got was:
[Wed Feb 02 15:02:43 2005] [warn] [client eee.fff.ggg.hhh] [13851]
auth_ldap authenticate: user thisuser authentication failed; URI
/private [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

I had it set up on a 2.0.46 Apache that came with the old SuSE version
I used and also tried a spanking new 2.0.52, built from scratch.

One of our students got it running.
Here is what he tweaked to get it working:

- you need to set LDAPTrustedCA and LDAPTrustedCAType
- former needs to point to a BSE64 encoded certificate of the server
to be contacted
- latter needs to be 'BASE64_FILE'
- you can see that this is correctly set up by the startup message
in error_log stating
[Wed Apr 27 11:46:18 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Wed Apr 27 11:46:18 2005] [notice] LDAP: SSL support available

if this still doesn't let you authenticate, try editing
- /etc/openldap/ldap.conf
- TLS_REQCERT never

This is what made my day after months of argling about not being able
to get clear debugging: Neither strace nor turning up Apache's loglevel
wielded any reasonable output.

I hope this can help someone out there not get as frustrated about this
as me.

Kind regards,
Mike Fischer
--
Fraunhofer Gesellschaft e.V.
IPSI.ITI

Dolivostr. 15
64293 Darmstadt
Telefon: 06151 / 869 - 845


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org