Regarding OpenLDAP Access From Apache

--001485f4afe26ede210473d3c69f
Content-Type: text/plain; charset=ISO-8859-1

Hi All,
I am a new member in this group. I am facing an issue regarding openLDAP
access from apache http server and here are the details.

1. I have configured a openLDAP server configured with gnutls as can be seen
below :

========================================

ldd slapd
linux-gate.so.1 => (0xb7f6d000)
libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7d36000)
libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
/lib/ld-linux.so.2 (0xb7f6e000)
libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)

========================================

2. I have my apache http server sitting on a solaris 10 x86 machine. The
httpd.conf details are below (related to LDAP).

========================================


SSLRequireSSL
AuthType Basic
AuthLDAPEnabled on
*AuthLDAPUrl
ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr ?sub?(AppAttr=*)
*
AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
AuthLDAPBindPassword 12345678
AuthName realm1
Require valid-user


========================================

3. I need to access the application GUI through apache and the user
authentication happens through LDAP. AppAttr is an user defined attribute
that controls the kind of controls the user can see on the GUI, e.g. admin
user can see all the controls and so on.

4. With the above settings in httpd.conf, the GUI access happens without any
issues.

5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
doesn't happen.

6. At first look, it may give an impression that SSL/TLS is not enabled on
my openLDAP server. But this is not the case.

7. Here is the command that gives perfect result and that can happen only if
SSL/TLS is enabled on the same.

========================================

ldapsearch -d8 -H ldaps://ldapcompany.com -b dc=ldapcompany,dc=com
uid=asimananda

OR

ldapsearch -d8 -ZZ -H ldap://ldapcompany.com -b dc=ldapcompany,dc=com
uid=asimananda

========================================

Both commands ask for a password and after the password is given, it shows
the result without fail.

Either of the commands can be used i.e. with ldaps url OR ldap url with -ZZ
option that forces TLS.

8. My issue is, if SSL/TLS is enabled on the openLDAP, why "ldaps" url
doesn't work from apache?

Please help me resolving the issue.

Regards
Asimananda

--001485f4afe26ede210473d3c69f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi All,

Re: Regarding OpenLDAP Access From Apache

On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
wrote:
> Hi All,
> I am a new member in this group. I am facing an issue regarding openLDAP
> access from apache http server and here are the details.
> 1. I have configured a openLDAP server configured with gnutls as can be s=
een
> below :
> ==================== =====
================
> ldd slapd
>    =A0 =A0 =A0linux-gate.so.1 =3D> =A0(0xb7f6d000)
>    =A0 =A0 =A0libldap_r-2.4.so.2 =3D> /usr/lib/libldap_r-2.4.so.2 (0x=
b7f19000)
>    =A0 =A0 =A0liblber-2.4.so.2 =3D> /usr/lib/liblber-2.4.so.2 (0xb7f0=
b000)
>    =A0 =A0 =A0libdb-4.7.so => /usr/lib/libdb-4.7.so=A0(0xb7db6000=
)
>    =A0 =A0 =A0libodbc.so.1 =3D> /usr/lib/libodbc.so.1 (0xb7d4f000)
>    =A0 =A0 =A0libpthread.so.0 =3D> /lib/tls/i686/cmov/libpthread.so.0=
(0xb7d36000)
>    =A0 =A0 =A0libslp.so.1 =3D> /usr/lib/libslp.so.1 (0xb7d26000)
>    =A0 =A0 =A0libnsl.so.1 =3D> /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0=
d000)
>    =A0 =A0 =A0libsasl2.so.2 =3D> /usr/lib/libsasl2.so.2 (0xb7cf5000)
>    =A0 =A0 =A0libgnutls.so.26 =3D> /usr/lib/libgnutls.so.26 (0xb7c570=
00)
>    =A0 =A0 =A0libtasn1.so.3 =3D> /usr/lib/libtasn1.so.3 (0xb7c45000)
>    =A0 =A0 =A0libz.so.1 =3D> /lib/libz.so.1 (0xb7c2f000)
>    =A0 =A0 =A0libgcrypt.so.11 =3D> /lib/libgcrypt.so.11 (0xb7bc6000)
>    =A0 =A0 =A0libcrypt.so.1 =3D> /lib/tls/i686/cmov/libcrypt.so.1 (0x=
b7b94000)
>    =A0 =A0 =A0libresolv.so.2 =3D> /lib/tls/i686/cmov/libresolv.so.2 (=
0xb7b7d000)
>    =A0 =A0 =A0libltdl.so.7 =3D> /usr/lib/libltdl.so.7 (0xb7b74000)
>    =A0 =A0 =A0libdl.so.2 =3D> /lib/tls/i686/cmov/libdl.so.2 (0xb7b700=
00)
>    =A0 =A0 =A0libwrap.so.0 =3D> /lib/libwrap.so.0 (0xb7b67000)
>    =A0 =A0 =A0libc.so.6 =3D> /lib/tls/i686/cmov/libc.so.6 (0xb7a04000=
)
>    =A0 =A0 =A0/lib/ld-linux.so.2 (0xb7f6e000)
>    =A0 =A0 =A0libgpg-error.so.0 =3D> /lib/libgpg-error.so.0 (0xb7a000=
00)
> ==================== =====
================
> 2. I have my apache http server sitting on a solaris 10 x86 machine. The
> httpd.conf details are below (related to LDAP).
> ==================== =====
================
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0SSLRequireSSL
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthType Basic
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthLDAPEnabled on
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthLDAPUrl
> ldap://xxx.xxx.xxx.xxx:389/dc=3Dldapcompany,dc=3Dcom?uid,App Attr?sub?(App=
Attr=3D*)
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthLDAPBindDN cn=3Dadmin,dc=3D=
ldapcompany,dc=3Dcom
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthLDAPBindPassword 12345678
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0AuthName realm1
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Require valid-user
>    =A0 =A0 =A0 =A0 =A0 =A0 =A0
> ==================== =====
================
> 3. I need to access the application GUI through apache and the user
> authentication happens through LDAP. AppAttr is an user defined attribute
> that controls the kind of controls the user can see on the GUI, e.g. admi=
n
> user can see all the controls and so on.
> 4. With the above settings in httpd.conf, the GUI access happens without =
any
> issues.
> 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
> doesn't happen.

Apache needs to be configured to trust the certificate presented by
the LDAP server. See the cert-related directives in the manual.


--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Regarding OpenLDAP Access From Apache

--001485f20b965d198104740ecf96
Content-Type: text/plain; charset=ISO-8859-1

Hi Eric,
Thanks for the reply.
In my case, the apache is built with openldap lib. I hope, in this case, it
shouldn't have shown any issues, please correct me if I am wrong.

Regards
Asimananda

On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener wrote:

> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
> wrote:
> > Hi All,
> > I am a new member in this group. I am facing an issue regarding openLDAP
> > access from apache http server and here are the details.
> > 1. I have configured a openLDAP server configured with gnutls as can be
> seen
> > below :
> > ========================================
> > ldd slapd
> > linux-gate.so.1 => (0xb7f6d000)
> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
> (0xb7d36000)
> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
> > /lib/ld-linux.so.2 (0xb7f6e000)
> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
> > ========================================
> > 2. I have my apache http server sitting on a solaris 10 x86 machine. The
> > httpd.conf details are below (related to LDAP).
> > ========================================
> >
> > SSLRequireSSL
> > AuthType Basic
> > AuthLDAPEnabled on
> > AuthLDAPUrl
> >
> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr ?sub?(AppAttr=*)
> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
> > AuthLDAPBindPassword 12345678
> > AuthName realm1
> > Require valid-user
> >
> > ========================================
> > 3. I need to access the application GUI through apache and the user
> > authentication happens through LDAP. AppAttr is an user defined attribute
> > that controls the kind of controls the user can see on the GUI, e.g.
> admin
> > user can see all the controls and so on.
> > 4. With the above settings in httpd.conf, the GUI access happens without
> any
> > issues.
> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
> > doesn't happen.
>
> Apache needs to be configured to trust the certificate presented by
> the LDAP server. See the cert-related directives in the manual.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--001485f20b965d198104740ecf96
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Eric,

Re: Regarding OpenLDAP Access From Apache

--001485f20b260e52a30474115834
Content-Type: text/plain; charset=ISO-8859-1

Hi Eric,
I have changed the permission level of the certificate presented to apache
but still I have got no success.

Here are the logs from my apache.

During Startup :
----------------------------------------

[Mon Sep 21 13:31:22 2009] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Sep 21 13:31:22 2009] [notice] LDAP: SSL support available

----------------------------------------

During Access :
-----------------------------------------

[Mon Sep 21 13:32:30 2009] [warn] [client 172.xx.xxx.xx] [10738] auth_ldap
authenticate: user asimananda authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

----------------------------------------

Here are the snapshots of my httpd.conf :

-----------------------------------------------------------

LoadModule galad_ldap_module modules/galad.so

-- -- -- -- --

LDAPTrustedCAType BASE64_FILE
LDAPTrustedCA /certs/ca-cert.pem

-----------------------------------------------------------

Here is the permission of ca-cert.pem (given 777 to make sure that there is
no permission issue)

#ls -lrt /certs/ca-cert.pem
-rwxrwxrwx 1 root root 1387 Sep 21 13:26 /certs/ca-cert.pem


Can this be an issue of certificate or something else?

Regards
Asimananda

On Mon, Sep 21, 2009 at 9:51 AM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:

> Hi Eric,
> Thanks for the reply.
> In my case, the apache is built with openldap lib. I hope, in this case, it
> shouldn't have shown any issues, please correct me if I am wrong.
>
> Regards
> Asimananda
>
>
> On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener wrote:
>
>> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
>> wrote:
>> > Hi All,
>> > I am a new member in this group. I am facing an issue regarding openLDAP
>> > access from apache http server and here are the details.
>> > 1. I have configured a openLDAP server configured with gnutls as can be
>> seen
>> > below :
>> > ========================================
>> > ldd slapd
>> > linux-gate.so.1 => (0xb7f6d000)
>> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
>> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
>> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
>> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
>> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
>> (0xb7d36000)
>> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
>> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
>> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
>> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
>> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
>> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
>> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
>> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
>> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7b7d000)
>> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
>> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
>> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
>> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
>> > /lib/ld-linux.so.2 (0xb7f6e000)
>> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
>> > ========================================
>> > 2. I have my apache http server sitting on a solaris 10 x86 machine. The
>> > httpd.conf details are below (related to LDAP).
>> > ========================================
>> >
>> > SSLRequireSSL
>> > AuthType Basic
>> > AuthLDAPEnabled on
>> > AuthLDAPUrl
>> >
>> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr ?sub?(AppAttr=*)
>> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
>> > AuthLDAPBindPassword 12345678
>> > AuthName realm1
>> > Require valid-user
>> >
>> > ========================================
>> > 3. I need to access the application GUI through apache and the user
>> > authentication happens through LDAP. AppAttr is an user defined
>> attribute
>> > that controls the kind of controls the user can see on the GUI, e.g.
>> admin
>> > user can see all the controls and so on.
>> > 4. With the above settings in httpd.conf, the GUI access happens without
>> any
>> > issues.
>> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
>> > doesn't happen.
>>
>> Apache needs to be configured to trust the certificate presented by
>> the LDAP server. See the cert-related directives in the manual.
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

--001485f20b260e52a30474115834
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi Eric,

Re: Regarding OpenLDAP Access From Apache

--001485f778b642d261047414ebe4
Content-Type: text/plain; charset=ISO-8859-1

Hi,
In continuation to my below mails :

I snooped the packets and found that in case of "ldap" url, apache is
sending bind request towards my ldap server whereas in case of "ldaps" url,
no such bind request towards ldap server is seen.

Regards
Asimananda

On Mon, Sep 21, 2009 at 12:52 PM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:

> Hi Eric,
> I have changed the permission level of the certificate presented to apache
> but still I have got no success.
>
> Here are the logs from my apache.
>
> During Startup :
> ----------------------------------------
>
> [Mon Sep 21 13:31:22 2009] [notice] LDAP: Built with OpenLDAP LDAP SDK
> [Mon Sep 21 13:31:22 2009] [notice] LDAP: SSL support available
>
> ----------------------------------------
>
> During Access :
> -----------------------------------------
>
> [Mon Sep 21 13:32:30 2009] [warn] [client 172.xx.xxx.xx] [10738] auth_ldap
> authenticate: user asimananda authentication failed; URI / [LDAP:
> ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> ----------------------------------------
>
> Here are the snapshots of my httpd.conf :
>
> -----------------------------------------------------------
>
> LoadModule galad_ldap_module modules/galad.so
>
> -- -- -- -- --
>
> LDAPTrustedCAType BASE64_FILE
> LDAPTrustedCA /certs/ca-cert.pem
>
> -----------------------------------------------------------
>
> Here is the permission of ca-cert.pem (given 777 to make sure that there is
> no permission issue)
>
> #ls -lrt /certs/ca-cert.pem
> -rwxrwxrwx 1 root root 1387 Sep 21 13:26 /certs/ca-cert.pem
>
>
> Can this be an issue of certificate or something else?
>
> Regards
> Asimananda
>
> On Mon, Sep 21, 2009 at 9:51 AM, Asimananda Mohanty <
> asimananda.mohanty@gmail.com> wrote:
>
>> Hi Eric,
>> Thanks for the reply.
>> In my case, the apache is built with openldap lib. I hope, in this case,
>> it shouldn't have shown any issues, please correct me if I am wrong.
>>
>> Regards
>> Asimananda
>>
>>
>> On Fri, Sep 18, 2009 at 4:43 PM, Eric Covener wrote:
>>
>>> On Fri, Sep 18, 2009 at 1:55 AM, Asimananda Mohanty
>>> wrote:
>>> > Hi All,
>>> > I am a new member in this group. I am facing an issue regarding
>>> openLDAP
>>> > access from apache http server and here are the details.
>>> > 1. I have configured a openLDAP server configured with gnutls as can be
>>> seen
>>> > below :
>>> > ========================================
>>> > ldd slapd
>>> > linux-gate.so.1 => (0xb7f6d000)
>>> > libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb7f19000)
>>> > liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7f0b000)
>>> > libdb-4.7.so => /usr/lib/libdb-4.7.so (0xb7db6000)
>>> > libodbc.so.1 => /usr/lib/libodbc.so.1 (0xb7d4f000)
>>> > libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0
>>> (0xb7d36000)
>>> > libslp.so.1 => /usr/lib/libslp.so.1 (0xb7d26000)
>>> > libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0d000)
>>> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cf5000)
>>> > libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb7c57000)
>>> > libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7c45000)
>>> > libz.so.1 => /lib/libz.so.1 (0xb7c2f000)
>>> > libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb7bc6000)
>>> > libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7b94000)
>>> > libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2
>>> (0xb7b7d000)
>>> > libltdl.so.7 => /usr/lib/libltdl.so.7 (0xb7b74000)
>>> > libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b70000)
>>> > libwrap.so.0 => /lib/libwrap.so.0 (0xb7b67000)
>>> > libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7a04000)
>>> > /lib/ld-linux.so.2 (0xb7f6e000)
>>> > libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7a00000)
>>> > ========================================
>>> > 2. I have my apache http server sitting on a solaris 10 x86 machine.
>>> The
>>> > httpd.conf details are below (related to LDAP).
>>> > ========================================
>>> >
>>> > SSLRequireSSL
>>> > AuthType Basic
>>> > AuthLDAPEnabled on
>>> > AuthLDAPUrl
>>> >
>>> ldap://xxx.xxx.xxx.xxx:389/dc=ldapcompany,dc=com?uid,AppAttr ?sub?(AppAttr=*)
>>> > AuthLDAPBindDN cn=admin,dc=ldapcompany,dc=com
>>> > AuthLDAPBindPassword 12345678
>>> > AuthName realm1
>>> > Require valid-user
>>> >
>>> > ========================================
>>> > 3. I need to access the application GUI through apache and the user
>>> > authentication happens through LDAP. AppAttr is an user defined
>>> attribute
>>> > that controls the kind of controls the user can see on the GUI, e.g.
>>> admin
>>> > user can see all the controls and so on.
>>> > 4. With the above settings in httpd.conf, the GUI access happens
>>> without any
>>> > issues.
>>> > 5. The time I change the "ldap" to "ldaps" in AuthLDAPUrl, GUI access
>>> > doesn't happen.
>>>
>>> Apache needs to be configured to trust the certificate presented by
>>> the LDAP server. See the cert-related directives in the manual.
>>>
>>>
>>> --
>>> Eric Covener
>>> covener@gmail.com
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>

--001485f778b642d261047414ebe4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

Re: Regarding OpenLDAP Access From Apache

Asimananda Mohanty wrote:
> Hi,
> In continuation to my below mails :
>
> I snooped the packets and found that in case of "ldap" url, apache is
> sending bind request towards my ldap server whereas in case of "ldaps" url,
> no such bind request towards ldap server is seen.

Are you sure ?
If "ldaps" means "secure LDAP" (as in SSL), then all packets would be
encrypted, and your protocol analyser may just not be able to detect them.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Regarding OpenLDAP Access From Apache

* André Warnier [2009-09-21 13:51]:
> If "ldaps" means "secure LDAP" (as in SSL), then all packets would
> be encrypted, and your protocol analyser may just not be able to
> detect them.

Well, at least a TCP connect to (default) port 636 should be in the
trace (not that I'm saying there is) or in the slapd logs.
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Regarding OpenLDAP Access From Apache

--001485f6cc723d872a0474155e28
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I can see client hello, server hello, certificate from server, server hello
done, encrypted handshake messages on my packet sniffer.
Well, I can see some checksum error in the server hello, certificate,
encrypted handshake messages.

For all the above messages, port 636 on my ldap server has been used.

Regards
Asimananda

On Mon, Sep 21, 2009 at 5:32 PM, Peter Schober
wrote:

> * Andr=E9 Warnier [2009-09-21 13:51]:
> > If "ldaps" means "secure LDAP" (as in SSL), then all packets would
> > be encrypted, and your protocol analyser may just not be able to
> > detect them.
>
> Well, at least a TCP connect to (default) port 636 should be in the
> trace (not that I'm saying there is) or in the slapd logs.
> -peter
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--001485f6cc723d872a0474155e28
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I can see client hello, server hello, certificate from server, server hello=
done, encrypted handshake messages on my packet sniffer.

Re: Regarding OpenLDAP Access From Apache

* Asimananda Mohanty [2009-09-21 14:11]:
> I can see client hello, server hello, certificate from server, server hello
> done, encrypted handshake messages on my packet sniffer.
> Well, I can see some checksum error in the server hello, certificate,
> encrypted handshake messages.
>
> For all the above messages, port 636 on my ldap server has been
> used.

So the hypothesis of httpd not sending anything certainly is not
justified. Back to getting ssl to work from httpd to slapd, I guess.
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Regarding OpenLDAP Access From Apache

--001485f27fa236243c047415a086
Content-Type: text/plain; charset=ISO-8859-1

Should I assume that the certificate presented to apache is not the correct
one?
But the same certificate works fine when I use it on my ldap server where
the ldap client is also installed.

Regards
Asimananda

On Mon, Sep 21, 2009 at 5:54 PM, Peter Schober
wrote:

> * Asimananda Mohanty [2009-09-21 14:11]:
> > I can see client hello, server hello, certificate from server, server
> hello
> > done, encrypted handshake messages on my packet sniffer.
> > Well, I can see some checksum error in the server hello, certificate,
> > encrypted handshake messages.
> >
> > For all the above messages, port 636 on my ldap server has been
> > used.
>
> So the hypothesis of httpd not sending anything certainly is not
> justified. Back to getting ssl to work from httpd to slapd, I guess.
> -peter
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--001485f27fa236243c047415a086
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Should I assume that the certificate presented to apache is not the correct=
one?

Re: Regarding OpenLDAP Access From Apache

* Asimananda Mohanty [2009-09-21 14:37]:
> Should I assume that the certificate presented to apache is not the correct
> one?
> But the same certificate works fine when I use it on my ldap server where
> the ldap client is also installed.

Get the ldap command line client to work on the same machine that
httpd is running on, that would be more relevant.
Probably settings things up in /etc/openldap/ldap.conf (or wherever
openldap client libs are looking, see `man ldap.conf`) will suffice.
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Regarding OpenLDAP Access From Apache

--001485f6d004dd17620474250c87
Content-Type: text/plain; charset=ISO-8859-1

Hi,

I did run some openssl commands and here is what I saw.

# openssl s_client -connect :636

verify error:num=20:unable to get local issuer certificate
verify return:1

verify error:num=21:unable to verify the first certificate
verify return:1

No client certificate CA names sent
---
SSL handshake has read 1162 bytes and written 450 bytes
---
Verify return code: 21 (unable to verify the first certificate)


The same thing I got when I ran the command on local ldap server too.

Are the certificates not OK? If this is so, how am I able to run ldapsearch
with "ldaps" url on my local client?

*THE CERTIFICATES ARE SELF SIGNED ONES. ARE THEY CREATING ISSUES FOR APACHE?
*

*When I had a look at the ethereal traces, I found some checksum error in
Server Hello, certificate, server hello done, change cipher spec, Encrypted
handshake message and Encrypted Alert message during TLS handshake. Is that
a concern too?*

Please comment.

Regards
Asimananda


On Mon, Sep 21, 2009 at 6:12 PM, Peter Schober
wrote:

> * Asimananda Mohanty [2009-09-21 14:37]:
> > Should I assume that the certificate presented to apache is not the
> correct
> > one?
> > But the same certificate works fine when I use it on my ldap server where
> > the ldap client is also installed.
>
> Get the ldap command line client to work on the same machine that
> httpd is running on, that would be more relevant.
> Probably settings things up in /etc/openldap/ldap.conf (or wherever
> openldap client libs are looking, see `man ldap.conf`) will suffice.
> -peter
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--001485f6d004dd17620474250c87
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

ont-size: 13px; border-collapse: collapse; ">

Re: Regarding OpenLDAP Access From Apache

--001485f7d240f3172b0474260a8b
Content-Type: text/plain; charset=ISO-8859-1

Hi All,
Finally, I am able to solve the issue.

I just replaced the IP address used in AuthLDAPUrl with the hostname that
has been used during creating the certificate (CN) and that worked for me.

Thank you very much for all the support.

Regards
Asimananda

On Tue, Sep 22, 2009 at 12:23 PM, Asimananda Mohanty <
asimananda.mohanty@gmail.com> wrote:

> Hi,
>
> I did run some openssl commands and here is what I saw.
>
> # openssl s_client -connect :636
>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
>
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> No client certificate CA names sent
> ---
> SSL handshake has read 1162 bytes and written 450 bytes
> ---
> Verify return code: 21 (unable to verify the first certificate)
>
>
> The same thing I got when I ran the command on local ldap server too.
>
> Are the certificates not OK? If this is so, how am I able to run ldapsearch
> with "ldaps" url on my local client?
>
> *THE CERTIFICATES ARE SELF SIGNED ONES. ARE THEY CREATING ISSUES FOR
> APACHE?*
>
> *When I had a look at the ethereal traces, I found some checksum error in
> Server Hello, certificate, server hello done, change cipher spec, Encrypted
> handshake message and Encrypted Alert message during TLS handshake. Is that
> a concern too?*
>
> Please comment.
>
> Regards
> Asimananda
>
>
> On Mon, Sep 21, 2009 at 6:12 PM, Peter Schober > > wrote:
>
>> * Asimananda Mohanty [2009-09-21 14:37]:
>> > Should I assume that the certificate presented to apache is not the
>> correct
>> > one?
>> > But the same certificate works fine when I use it on my ldap server
>> where
>> > the ldap client is also installed.
>>
>> Get the ldap command line client to work on the same machine that
>> httpd is running on, that would be more relevant.
>> Probably settings things up in /etc/openldap/ldap.conf (or wherever
>> openldap client libs are looking, see `man ldap.conf`) will suffice.
>> -peter
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

--001485f7d240f3172b0474260a8b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi All,