mod_authnz_ldap with wildcard certificate

--=__PartE9C252C2.0__=
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

hi all,
=20
Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP =
authentication in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails =
....
=20
I verified that certificate contains :
Subject : ....*.domain.com
X509v3 Subject Alternative Name:
DNS:*.domain.com, DNS:domain.com
Is there any known issue with wildcard certificates ?
How proper should be the syntax in order to use it ?
=20
Thx in advance
=20
=20
=20

--=__PartE9C252C2.0__=
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML


e>

RE: mod_authnz_ldap with wildcard certificate

>De=A0: Francois Pernet [mailto:Francois.Pernet@idsa.ch]=20
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users@httpd.apache.org
>Objet=A0: [users@httpd] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>=A0
>Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP a=
uthentication >in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails .=
...
>=A0
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
>              =A0 DNS:*.domain.com, DNS:domain=
..com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>=A0
>Thx in advance
=A0
Hi,
How can you be sure this is an Apache problem ? Did you try first "by hand"=
to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of the A=
pache logs when it fails ?

Regards.

Emmanuel

=A0
=A0

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: mod_authnz_ldap with wildcard certificate

--=__Part3D1687F6.0__=
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit

Hi,

you are right... more details ...
I must also specify that apache in SSL (https) is working fine with
these certificates ...I do not say this is an apache problem, but more
on the ldap module and certainly on the libraries under ...

A) Apache

Syntax inside Apache :
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_DER
/etc/apache2/ssl.apa/Comodo_Apache.cer
In this case, this is the certificate (Since i am autehnticating
against Novell edirectory, sometimes it requests the server certicate
itself as the CA). But i also used the CA cert from Comodo and it's the
same.

Error in apache log is only (and my server is available, of course):
[Fri Nov 13 07:37:53 2009] [warn] [client 192.168.10.171] [21099]
auth_ldap authenticate: user fpe authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

B) Tests with OpenLdap

ldap.conf is :
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.txt
TLS_CERT /etc/openldap/certs/server.cer
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
TLS_REQCERT never
Testing with :
ldapsearch -H ldaps://myserver -D cn=binduser,ou=myou,o=idsa -W -x
"(cn=thisobject)"

Doesn't work. Only by putting TLS_REQCERT never in ldap.conf i can use
LDAPs (but without any cert validation in this case ... bad ;-()

hope this help. thx

>>> Emmanuel Bailleul 13.11.2009 08:40
>>>
>De : Francois Pernet [mailto:Francois.Pernet@idsa.ch]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users@httpd.apache.org
>Objet : [users@httpd] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with
LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The
authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
> DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance

Hi,
How can you be sure this is an Apache problem ? Did you try first "by
hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of
the Apache logs when it fails ?

Regards.

Emmanuel




------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server
Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


--=__Part3D1687F6.0__=
Content-Type: text/html; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML


e>

Re: mod_authnz_ldap with wildcard certificate

* Francois Pernet [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.

I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_authnz_ldap with wildcard certificate

--=__PartE2C9585A.0__=
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Ok I can also post this question on openldap forum, but :
- my main question is : is there anybody 's running wilcard certificates =
for LDAPs authentication under Apache ?
- configuration for openldap is different than inside the mod_ldap (only =
few directives in mod_ldap) so what if I can make it work with Openldap ? =
(which is the case but without cetificate validation).
-francois

>>> Peter Schober 13.11.2009 14:02 >>>
* Francois Pernet [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.

I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


--=__PartE2C9585A.0__=
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML


e>

Re: mod_authnz_ldap with wildcard certificate

On Fri, Nov 13, 2009 at 9:03 AM, Francois Pernet
wrote:
> Ok I can also post this question on openldap forum, but :
> - my main question is : is there anybody 's running wilcard certificates for
> LDAPs authentication under Apache ?
> - configuration for openldap is different than inside the mod_ldap (only few
> directives in mod_ldap) so what if I can make it work with Openldap ? (which
> is the case but without cetificate validation).

Wouldn't this be LDAPVerifyServerCert?

if you know the openldap you're using can't verify the cert, there's
not much sense in putting out a query to other Apache users.

If your openldap is linked with gnutls, try one linked with openssl?

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org