Well, I've solved this problem with a lot of help. The issue is that
Apache's mod_ldap is ignoring "LDAPVerifyServerCert Off" I had to
replace that with:
LDAPTrustedMode SSL
LDAPVerifyServerCert On
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/Thawte_Premium_Server_CA.pem
(if you have the same problem, make sure you use the right CA
certificate...I'm not sure how to figure out which to use -- the person
who helped me told me)
- Mike Benza
Tod wrote:
Mike Benza wrote:
Hello,
I've been stuck with a problem where LDAP hangs when it's trying to
authenticate.
I'm running Apache on Ubuntu 8.04, Hardy Heron. This problem occurs
with the Ubuntu version (both 32 and 64 bit) as well as compiled
directly from source. I can produce the problem in Apache 2.2.8
(from Ubuntu) and 2.2.10 (compiled from source). I posted about the
problem on ubuntuforums.org <http://ubuntuforums.org> a few weeks ago
but I didn't get any useful responses. I've searched the web
multiple times. Tonight I downloaded the source and built it, and I
still have the problem.
I've a <Location> in a certain site that needs to be ldap
authenticated. It doesn't get authenticated. Here is the location:
<Location /blah>
AuthzLDAPAuthoritative Off
AuthName "EWB Documents"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "cn=ewb,ou=Service Accounts,dc=rice,dc=edu"
AuthLDAPBindPassword *********
AuthLDAPURL "ldaps://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid
<http://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid>"
<Limit GET POST PROPFIND OPTIONS REPORT>
Require valid-user
</Limit>
</Location>
When I browse to http://site/blah, I get prompted for my username and
password. I've confirmed that this <Location> configuration is
causing the prompt, since when I remove the <Location>, I don't get
prompted for a username and password. After I type my username and
password in and click OK, nothing happens on the browser side. I can
watch my browser send my credentials back the server, and I can see
the beginning of an LDAP conversation using wireshark on the server.
However, after the conversation begins, it abruptly stops, and
nothing happens. It just sits there.
I tested logging into the LDAP with a variation of the following
(using a hostname and port, but I don't remember the format and
switches now):
Code:
ldapsearch -x -W -D "cn=ewb,ou=service accounts,dc=rice,dc=edu" -b
"ou=People,dc=rice,dc=edu" '(uid=XYZ)'
It prompts me for my password (the ***s in the above apache
configuration), then finds the user named XYZ.
So, in summary I can connect via ldaps and lookup a user at the
command line, but somewhere, apache fails.
I turned logging in apache to debug, and discovered that ldap doesn't
log much:
Code:
[Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
mod_mime_magic: can't read magic file /etc/apache2/conf/magic
[Wed Sep 17 20:07:10 2008] [notice] suEXEC mechanism enabled
(wrapper: /usr/lib/apache2/suexec)
[Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes
of entropy
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual)
servers for SSL
[Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against
Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
[Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
mod_mime_magic: can't read magic file /etc/apache2/conf/magic
[Wed Sep 17 20:07:10 2008] [notice] Digest: generating secret for
digest authentication ...
[Wed Sep 17 20:07:10 2008] [notice] Digest: done
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
ewb.rice.edu <http://ewb.rice.edu>
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
wiki.ewb.rice.edu <http://wiki.ewb.rice.edu>
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging
Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST:
ewb.rice.edu <http://ewb.rice.edu>
[Wed Sep 17 20:07:10 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Sep 17 20:07:10 2008] [info] LDAP: SSL support available
[Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes
of entropy
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(374):
shmcb_init allocated 512000 bytes of shared memory
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(554): entered
shmcb_init_memory()
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(576): for
512000 bytes, recommending 4266 indexes
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(619):
shmcb_init_memory choices follow
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(621):
division_mask = 0x1F
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(623):
division_offset = 64
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(625):
division_size = 15998
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(627):
queue_size = 1604
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(629): index_num
= 133
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(631):
index_offset = 8
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(633):
index_size = 12
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(635):
cache_data_offset = 8
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(637):
cache_data_size = 14386
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(650): leaving
shmcb_init_memory()
[Wed Sep 17 20:07:10 2008] [info] Shared memory session cache
initialised
[Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual)
servers for SSL
[Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against
Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24788 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24788 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24789 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24789 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24790 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24790 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24791 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24791 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24792 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24792 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24793 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24793 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24794 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24794 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24795 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy:
initialized single connection worker 0 in child 24795 for (*)
[Wed Sep 17 20:07:10 2008] [notice] Apache/2.2.8 (Ubuntu) DAV/2
SVN/1.4.6 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 configu
red -- resuming normal operations
Nothing is logged in the error log when I try to load the page
requiring my username and password.
Now here is where it gets a bit more complicated: If it's hanging
waiting to authenticate and I restart apache, the authentication
succeeds, then apache restarts just fine.
I don't know very much about the LDAP server. I know there are a
number of machines with apache that successfully authenticate against
this ldap.
Has anyone had problems like this? Please help me. I can't find
anyone who knows enough about apache and ldap. I've been working at
this for weeks now. Thank you.
- Mike Benza
Try doing the ldapsearch from the apache box to ldap.rice.edu to rule
out firewall a issue.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
