follows:
Solaris 9
OpenSSL v 0.9.8a
Berkley DB 4.2
OpenLDAP v 2.2.19
Apache 2.2.0
My LDAP implementation works great with TLS:
ldapsearch -ZZ -x -D "cn=someid,dc=example,dc=com" -W '(&(objectclass=posixaccount)(uid=testuser))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=posixaccount)(uid=testuser))
# requesting: ALL
#
# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
uid: testuser
cn: System Administrator
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12440
loginShell: /bin/ksh
uidNumber: 2004
gidNumber: 10
homeDirectory: /home/testuser
gecos: System Administrator
userPassword:: <removed>
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
If I use regular LDAP, I can authenticate just fine.
The problem I am having is when I enable the use of TLS with the parameter:
LDAPTrustedMode TLS
in my httpd.conf file and attempt to log in to a web site, I get the following in the apache error_log file:
[Wed Jan 04 16:34:20 2006] [warn] [client <IP Address>] [17151] auth_ldap authenticate: user testuser authentication failed; URI /repos/test [LDAP:ldap_start_tls_s() failed][Not Supported]
What do I need to do in order to get TLS supported in Apache?
Here is my config.nice file for Apache:
#! /bin/sh
#
# Created by configure
CPPFLAGS="-I/usr/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include"
export CPPFLAGS
LDFLAGS="-L/usr/lib -L/usr/local/ssl/lib -L/usr/local/BerkeleyDB.4.2/lib -R/usr/local/BerkeleyDB.4.2/lib"
export LDFLAGS
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-mods-shared=all" \
"--enable-modules=all" \
"--enable-so" \
"--enable-ssl=shared" \
"--enable-ssl" \
"--enable-proxy" \
"--enable-proxy-connect" \
"--enable-proxy-http" \
"--enable-dav" \
"--enable-authnz-ldap" \
"--enable-ldap" \
"--enable-authn-alias" \
"--enable-cache" \
"--enable-disk-cache" \
"--enable-mem-cache" \
"--enable-mime-magic" \
"--enable-dav-fs" \
"--enable-dav-lock" \
"--enable-speling" \
"--enable-rewrite" \
"--with-ssl=/usr/local/ssl" \
"--with-ldap=ldap" \
"--with-ldap-include=/usr/local/include" \
"--with-ldap-lib=/usr/local/lib" \
"--with-berkeley-db=/usr/local/BerkeleyDB.4.2" \
"$@"
Here is the startup messages from the error_log too:
[Thu Jan 05 12:16:18 2006] [info] mod_unique_id: using ip addr <removed>
[Thu Jan 05 12:16:19 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jan 05 12:16:19 2006] [info] Loading certificate & private key of SSL-aware server
[Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jan 05 12:16:19 2006] [info] Init: Initializing (virtual) servers for SSL
[Thu Jan 05 12:16:19 2006] [info] Configuring server for SSL protocol
[Thu Jan 05 12:16:19 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 05 12:16:19 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Thu Jan 05 12:16:19 2006] [info] mod_unique_id: using ip addr <removed>
[Thu Jan 05 12:16:20 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jan 05 12:16:20 2006] [info] Loading certificate & private key of SSL-aware server
[Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jan 05 12:16:20 2006] [info] Shared memory session cache initialised
[Thu Jan 05 12:16:20 2006] [info] Init: Initializing (virtual) servers for SSL
[Thu Jan 05 12:16:20 2006] [info] Configuring server for SSL protocol
[Thu Jan 05 12:16:20 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 05 12:16:20 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Thu Jan 05 12:16:20 2006] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 05 12:16:20 2006] [notice] Digest: done
[Thu Jan 05 12:16:20 2006] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Thu Jan 05 12:16:20 2006] [info] LDAP: SSL support available
[Thu Jan 05 12:16:20 2006] [notice] Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8a DAV/2 PHP/5.1.1 SVN/1.2.3 configured -- resuming normal operations
[Thu Jan 05 12:16:20 2006] [info] Server built: Dec 9 2005 14:02:01
And here is my slightly modified (private information changed) <Location>
block in my httpd.conf file:
LDAPTrustedGlobalCert CERT_BASE64 /usr/local/etc/openldap/cacert.pem
LDAPTrustedMode SSL
<Location /repos>
DAV svn
SVNParentPath /opt/repos
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository"
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldapserver.example.com/dc=fffc,dc=com?uid?sub?(objectClass=posixAccou nt)
AuthLDAPBindDN "cn=someid,dc=example,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
AuthzSVNAccessFile /usr/local/etc/subversion/access
</Location>
Can someone please shed some light I what I need to do in order to get TLS
to be "supported"
Thank you in advance!
Mark.
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=posixaccount)(uid=testuser))
# requesting: ALL
#
# testuser, People, example.com
dn: uid=testuser,ou=People,dc=example,dc=com
uid: testuser
cn: System Administrator
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12440
loginShell: /bin/ksh
uidNumber: 2004
gidNumber: 10
homeDirectory: /home/testuser
gecos: System Administrator
userPassword:: <removed>
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
If I use regular LDAP, I can authenticate just fine.
The problem I am having is when I enable the use of TLS with the parameter:
LDAPTrustedMode TLS
in my httpd.conf file and attempt to log in to a web site, I get the following in the apache error_log file:
[Wed Jan 04 16:34:20 2006] [warn] [client <IP Address>] [17151] auth_ldap authenticate: user testuser authentication failed; URI /repos/test [LDAP:ldap_start_tls_s() failed][Not Supported]
What do I need to do in order to get TLS supported in Apache?
Here is my config.nice file for Apache:
#! /bin/sh
#
# Created by configure
CPPFLAGS="-I/usr/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include"
export CPPFLAGS
LDFLAGS="-L/usr/lib -L/usr/local/ssl/lib -L/usr/local/BerkeleyDB.4.2/lib -R/usr/local/BerkeleyDB.4.2/lib"
export LDFLAGS
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-mods-shared=all" \
"--enable-modules=all" \
"--enable-so" \
"--enable-ssl=shared" \
"--enable-ssl" \
"--enable-proxy" \
"--enable-proxy-connect" \
"--enable-proxy-http" \
"--enable-dav" \
"--enable-authnz-ldap" \
"--enable-ldap" \
"--enable-authn-alias" \
"--enable-cache" \
"--enable-disk-cache" \
"--enable-mem-cache" \
"--enable-mime-magic" \
"--enable-dav-fs" \
"--enable-dav-lock" \
"--enable-speling" \
"--enable-rewrite" \
"--with-ssl=/usr/local/ssl" \
"--with-ldap=ldap" \
"--with-ldap-include=/usr/local/include" \
"--with-ldap-lib=/usr/local/lib" \
"--with-berkeley-db=/usr/local/BerkeleyDB.4.2" \
"$@"
Here is the startup messages from the error_log too:
[Thu Jan 05 12:16:18 2006] [info] mod_unique_id: using ip addr <removed>
[Thu Jan 05 12:16:19 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jan 05 12:16:19 2006] [info] Loading certificate & private key of SSL-aware server
[Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jan 05 12:16:19 2006] [info] Init: Initializing (virtual) servers for SSL
[Thu Jan 05 12:16:19 2006] [info] Configuring server for SSL protocol
[Thu Jan 05 12:16:19 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 05 12:16:19 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Thu Jan 05 12:16:19 2006] [info] mod_unique_id: using ip addr <removed>
[Thu Jan 05 12:16:20 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
[Thu Jan 05 12:16:20 2006] [info] Loading certificate & private key of SSL-aware server
[Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Thu Jan 05 12:16:20 2006] [info] Shared memory session cache initialised
[Thu Jan 05 12:16:20 2006] [info] Init: Initializing (virtual) servers for SSL
[Thu Jan 05 12:16:20 2006] [info] Configuring server for SSL protocol
[Thu Jan 05 12:16:20 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 05 12:16:20 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Thu Jan 05 12:16:20 2006] [notice] Digest: generating secret for digest authentication ...
[Thu Jan 05 12:16:20 2006] [notice] Digest: done
[Thu Jan 05 12:16:20 2006] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Thu Jan 05 12:16:20 2006] [info] LDAP: SSL support available
[Thu Jan 05 12:16:20 2006] [notice] Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8a DAV/2 PHP/5.1.1 SVN/1.2.3 configured -- resuming normal operations
[Thu Jan 05 12:16:20 2006] [info] Server built: Dec 9 2005 14:02:01
And here is my slightly modified (private information changed) <Location>
block in my httpd.conf file:
LDAPTrustedGlobalCert CERT_BASE64 /usr/local/etc/openldap/cacert.pem
LDAPTrustedMode SSL
<Location /repos>
DAV svn
SVNParentPath /opt/repos
AuthType Basic
AuthBasicProvider ldap
AuthName "Subversion repository"
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldapserver.example.com/dc=fffc,dc=com?uid?sub?(objectClass=posixAccou nt)
AuthLDAPBindDN "cn=someid,dc=example,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
AuthzSVNAccessFile /usr/local/etc/subversion/access
</Location>
Can someone please shed some light I what I need to do in order to get TLS
to be "supported"
Thank you in advance!
Mark.
