[users@httpd] LDAP over SSL on Slaris Sparc 5.10

Thu, 16 Jun 2016 09:45:56 -0700 

I am trying to build apache httpd 2.4.20 with LDAP over SSL support
No matter what I try I always get this as the first line in the error log file 
at start up:
[Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL 
support unavailable
I believe (through many hours or perseverance) I am using the correct configure 
cmdline args which should enable the httpd/apr/apr-util build to find:
openssl (latest from installed csw package)
openldap (latest from installed csw package)apr 1.5.2 (from src build with 
httpd)
apr-util 1.5.4 (from src build with httpd)pcre 8.36 (built and installed to 
/opt/pcre)
My configure runs without errors and with no LDAP or SSL warnings.My make runs 
without error.My install runs without error.Httpd boots.
With LogLevel set to "trace8"  here is what I get on the command line:
$ sudo ./apachectl start
[Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208): 
Setting LogLevel for all modules to trace8
[Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613): 
AH01311: LDAP: Setting referral chasing Off
[Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195] 
mod_authnz_ldap.c(1512): auth_ldap url parse: 
`ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub', 
Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib: 
sAMAccountName, scope: subtree, filter: (null), connection mode: using SSL
$ 

When trying to contact the server through a browser I am prompted for 
login/passwd.If I used an NIS account (validated through local passwd/group 
files) it authenticates fine.If I use an Active Directory (non-NIS) account it 
tries LDAP and this fails with errors in the error_log like:
[Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614): 
[client 101.172.90.164:58872] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199] 
http_request.c(393): [client 101.172.90.164:58872] Headers received from client:
[Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Accept: text/html, 
application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Accept-Language: en-US
[Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   User-Agent: Mozilla/5.0 
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Accept-Encoding: gzip, 
deflate, peerdist
[Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Host: 
newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Connection: Keep-Alive
[Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   Cookie: 
shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199] 
http_request.c(396): [client 101.172.90.164:58872]   X-P2P-PeerDistEx: 
MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199] 
mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization 
result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199] 
mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization 
result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117): 
[client 101.172.90.164:58872] auth phase 'check user' gave status 401: /
[Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199] 
http_filters.c(1003): [client 101.172.90.164:58872] Response sent with status 
401, headers:
[Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199] 
http_filters.c(1012): [client 101.172.90.164:58872]   Date: Thu, 16 Jun 2016 
16:24:47 GMT
[Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199] 
http_filters.c(1015): [client 101.172.90.164:58872]   Server: Apache/2.4.20 
(Unix)
[Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199] 
http_filters.c(833): [client 101.172.90.164:58872]   WWW-Authenticate: Basic 
realm=\\"Use NIS or Active Directory Login\\"
[Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199] 
http_filters.c(833): [client 101.172.90.164:58872]   Content-Length: 469
[Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199] 
http_filters.c(833): [client 101.172.90.164:58872]   Keep-Alive: timeout=2, 
max=50
[Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199] 
http_filters.c(833): [client 101.172.90.164:58872]   Connection: Keep-Alive
[Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199] 
http_filters.c(833): [client 101.172.90.164:58872]   Content-Type: text/html; 
charset=iso-8859-1
[Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199] 
core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing 
because of FLUSH bucket
[Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531): 
mpm child 10333 (gen 0/slot 5) started
[Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199] 
core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing 
because of FLUSH bucket
[Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614): 
[client 101.172.90.164:58882] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200] 
http_request.c(393): [client 101.172.90.164:58882] Headers received from client:
[Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Accept: text/html, 
application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Accept-Language: en-US
[Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   User-Agent: Mozilla/5.0 
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Accept-Encoding: gzip, 
deflate, peerdist
[Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Host: 
newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Connection: Keep-Alive
[Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   X-P2P-PeerDistEx: 
MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Cookie: 
shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200] 
http_request.c(396): [client 101.172.90.164:58882]   Authorization: Basic 
STgyNTcyODpTSlNoYXJrMWU=
[Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200] 
mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization 
result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200] 
mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization 
result of <RequireAny>: denied (no authenticated user yet)[Thu Jun 16 
09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515): 
[client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL 
ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
[Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200] 
mod_authnz_ldap.c(536): [client 101.172.90.164:58882] auth_ldap authenticate: 
final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount))
[Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client 
101.172.90.164:58882] AH01695: auth_ldap authenticate: user MyADAccount 
authentication failed; URI / [LDAP: ldap initialization failed][Unknown error]
[Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117): 
[client 101.172.90.164:58882] auth phase 'check user' gave status 500: /
[Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200] 
http_filters.c(1003): [client 101.172.90.164:58882] Response sent with status 
500, headers:
[Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200] 
http_filters.c(1012): [client 101.172.90.164:58882]   Date: Thu, 16 Jun 2016 
16:25:10 GMT
[Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200] 
http_filters.c(1015): [client 101.172.90.164:58882]   Server: Apache/2.4.20 
(Unix)
[Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200] 
http_filters.c(833): [client 101.172.90.164:58882]   Content-Length: 664
[Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200] 
http_filters.c(833): [client 101.172.90.164:58882]   Connection: close
[Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200] 
http_filters.c(833): [client 101.172.90.164:58882]   Content-Type: text/html; 
charset=iso-8859-1
[Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200] 
core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing 
because of FLUSH bucket
[Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200] 
core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing 
because of FLUSH bucket

My configure env and cmdline was:
CC=/usr/global/opt/SunStudio12.2/bin/cc
export CC

exec ./configure \
        --with-mpm=prefork \
        --with-included-apr \
        --with-pcre=/opt/pcre \
        --enable-authnz-ldap \
        --enable-ldap \
        --with-ldap=ldap \
        --with-ldap-lib=/opt/csw/lib \
        --with-ldap-include=/opt/csw/include \
        --enable-authnz-fcgi \
        --enable-cgi \
        --enable-ssl \
        --with-ssl=/opt/csw \
        --with-ssl-lib=/opt/csw/lib \
        --with-ssl-include=/opt/csw/include \
        --with-crypto \
        --with-openssl=/opt/csw \
        --enable-modules=all \
        --enable-rewrite \
        --prefix=/codeadm/http_servers/httpd-${INSTALL_VER}


In http.conf I am setting the path the the CA cert file:
# Specify CA certificate file
LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt

The configuration for the directory I am trying to browse to is:
    Options Indexes FollowSymLinks MultiViews Includes
    AuthName "Use NIS or Active Directory Login"
    AllowOverride None
    LDAPReferrals Off
    AuthType Basic
    AuthBasicProvider file ldap
    AuthUserFile "/work/www/HT/HTpasswd.dat"
    AuthGroupFile "/work/www/HT/HTgroup.dat"
    AuthLDAPURL 
ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
    AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco
    AuthLDAPBindPassword FakePassW0rd
    Require valid-user
I have confirmed I can use the "ldapsearch" commandline tool from openldap with 
these values to query AD successfully.
Any thoughts on what I can do to make LDAP over SSL work?
ThanksMj

Reply via email to