Re: Apache 2.2 mod_ldap refusing to work over SSL/TLS
As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Is there any level of debugging that can be increased on the Apache side ? Possibly a build/compile-time option for the module? Debugging apache code can always be tricky because of the threaded/child process nature. We use mod_authz_ldap and it works okay, but OpenLDAP an can be a real beyotch when it comes to SSL/TLS. E.g., we feel your pain. The only way out, is through. ~BAS Anyone have a clue on what could be causing this? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Apache 2.2 mod_ldap refusing to work over SSL/TLS
On Wed, Nov 25, 2009 at 10:46 AM, Brian A. Seklecki (CFI NOC) sekle...@noc.cfi.pgh.pa.us wrote: As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Is there any level of debugging that can be increased on the Apache side ? Possibly a build/compile-time option for the module? Debugging apache code can always be tricky because of the threaded/child process nature. We use mod_authz_ldap and it works okay, but OpenLDAP an can be a real beyotch when it comes to SSL/TLS. E.g., we feel your pain. The only way out, is through. ~BAS I figured it out eventually (see [1]). It's been working without any problems for a few days now. - Max [1] http://lists.freebsd.org/pipermail/freebsd-questions/2009-November/208195.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Apache 2.2 mod_ldap refusing to work over SSL/TLS
Hello all, Wasted many hours on this and am no closer to a solution. I'm trying to get apache 2.2 on FreeBSD 7.2 to authenticate against our active directory (Windows 2003). The current status is that authentication works without problems when SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections to the server and run queries using the ldapsearch tool. Server certificate verification works without any problems. The relevant portions of ldap.conf and httpd.conf are identical, so if I can use SSL and TLS with ldapsearch, there is no reason why it shouldn't be working from apache. Just to be on the safe side, I've turned off server certificate verification with 'LDAPVerifyServerCert Off' directive. So... Unencrypted authentication works, SSL authentication results in [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], and TLS authentication gives [LDAP: ldap_start_tls_s() failed][Connect error]. I had nothing else to go on, so I decided to capture the packets that are being sent between apache and active directory servers. I then compared this packet capture with what ldapsearch does (both using TLS). In summary, ldapsearch and apache send an identical LDAP_SERVER_START_TLS_OID command. In both cases, the server responds with an identical Result: Status: Success, MatchedDN: NULL, ErrorMessage: NULL packet. But while ldapsearch then goes on to the certificate and key exchange phase, apache responds with OperationHeader: Unbind Request, 2(0x2) and terminates the connection. As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Anyone have a clue on what could be causing this? - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Apache 2.2 mod_ldap refusing to work over SSL/TLS (solved)
On Thu, Nov 19, 2009 at 11:33 AM, Maxim Khitrov mkhit...@gmail.com wrote: Hello all, Wasted many hours on this and am no closer to a solution. I'm trying to get apache 2.2 on FreeBSD 7.2 to authenticate against our active directory (Windows 2003). The current status is that authentication works without problems when SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections to the server and run queries using the ldapsearch tool. Server certificate verification works without any problems. The relevant portions of ldap.conf and httpd.conf are identical, so if I can use SSL and TLS with ldapsearch, there is no reason why it shouldn't be working from apache. Just to be on the safe side, I've turned off server certificate verification with 'LDAPVerifyServerCert Off' directive. So... Unencrypted authentication works, SSL authentication results in [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], and TLS authentication gives [LDAP: ldap_start_tls_s() failed][Connect error]. I had nothing else to go on, so I decided to capture the packets that are being sent between apache and active directory servers. I then compared this packet capture with what ldapsearch does (both using TLS). In summary, ldapsearch and apache send an identical LDAP_SERVER_START_TLS_OID command. In both cases, the server responds with an identical Result: Status: Success, MatchedDN: NULL, ErrorMessage: NULL packet. But while ldapsearch then goes on to the certificate and key exchange phase, apache responds with OperationHeader: Unbind Request, 2(0x2) and terminates the connection. As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Anyone have a clue on what could be causing this? - Max I love the simplest of problems that takes 12 hours to solve... It was my mistake and a really dump one, but apache and openldap sure don't make it easy to figure this out. The next step after packet captures was to start digging through source. I finally ended up in tls_o.c, which is part of OpenLDAP. The whole problem had to do with the fact that the CA certificate I specified was in a directory readable only by root. That would certainly explain why ldapsearch worked without problems. Unfortunately, the certificate is loaded just prior to establishing an SSL or TLS connection. While one would expect an error for this condition to be raised when apache is first started (basic validation of LDAPTrustedGlobalCert directive), it actually manifests itself as a cryptic Connect error message during authentication. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
