Based on this https://bz.apache.org/bugzilla/show_bug.cgi?id=41041 I decided
to hard code some CPP and LD flags for the configure/make steps:
# Force the apr builds to find libs here and at run time load them from here.
CPPFLAGS='-I/opt/csw/include'
export CPPFLAGS
LDFLAGS='-R/opt/csw/lib -L/opt/csw/lib'
export LDFLAGS
This now gives me one nice new line in the error log and then the one that is
not so nice:
[Thu Jun 16 16:28:48.191774 2016] [ldap:info] [pid 8328] AH01318: APR LDAP:
Built with OpenLDAP LDAP SDK
[Thu Jun 16 16:28:48.192275 2016] [ldap:info] [pid 8328] AH01320: LDAP: SSL
support unavailable: (null)
What causes httpd runtime to spit out that "support unavailable" message?
openssl is there, it is linked into the modules, the command line tools can
connect to my AD server.
The only thing I can think of is that either my openssl package is too new (tls
support dropped in 1.0.0t??) or that the openldap package (2.4.40) I have is
not compatible (built) with this version of openssl.
So I am going to try to build openldap and openssl now.Anyone know which newish
versions work well together?
MJ
On Thursday, June 16, 2016 9:45 AM, Mark Jacquet
<mark_jacq...@yahoo.com.INVALID> wrote:
I am trying to build apache httpd 2.4.20 with LDAP over SSL support
No matter what I try I always get this as the first line in the error log file
at start up:
[Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL
support unavailable
I believe (through many hours or perseverance) I am using the correct configure
cmdline args which should enable the httpd/apr/apr-util build to find:
openssl (latest from installed csw package)
openldap (latest from installed csw package)apr 1.5.2 (from src build with
httpd)
apr-util 1.5.4 (from src build with httpd)pcre 8.36 (built and installed to
/opt/pcre)
My configure runs without errors and with no LDAP or SSL warnings.My make runs
without error.My install runs without error.Httpd boots.
With LogLevel set to "trace8" here is what I get on the command line:
$ sudo ./apachectl start
[Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208):
Setting LogLevel for all modules to trace8
[Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613):
AH01311: LDAP: Setting referral chasing Off
[Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195]
mod_authnz_ldap.c(1512): auth_ldap url parse:
`ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub',
Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib:
sAMAccountName, scope: subtree, filter: (null), connection mode: using SSL
$
When trying to contact the server through a browser I am prompted for
login/passwd.If I used an NIS account (validated through local passwd/group
files) it authenticates fine.If I use an Active Directory (non-NIS) account it
tries LDAP and this fails with errors in the error_log like:
[Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614):
[client 101.172.90.164:58872] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199]
http_request.c(393): [client 101.172.90.164:58872] Headers received from client:
[Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Accept: text/html,
application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Accept-Language: en-US
[Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Accept-Encoding: gzip,
deflate, peerdist
[Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Host:
newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Connection: Keep-Alive
[Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] Cookie:
shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199]
http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDistEx:
MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199]
mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199]
mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117):
[client 101.172.90.164:58872] auth phase 'check user' gave status 401: /
[Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199]
http_filters.c(1003): [client 101.172.90.164:58872] Response sent with status
401, headers:
[Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199]
http_filters.c(1012): [client 101.172.90.164:58872] Date: Thu, 16 Jun 2016
16:24:47 GMT
[Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199]
http_filters.c(1015): [client 101.172.90.164:58872] Server: Apache/2.4.20
(Unix)
[Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199]
http_filters.c(833): [client 101.172.90.164:58872] WWW-Authenticate: Basic
realm=\\"Use NIS or Active Directory Login\\"
[Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199]
http_filters.c(833): [client 101.172.90.164:58872] Content-Length: 469
[Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199]
http_filters.c(833): [client 101.172.90.164:58872] Keep-Alive: timeout=2,
max=50
[Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199]
http_filters.c(833): [client 101.172.90.164:58872] Connection: Keep-Alive
[Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199]
http_filters.c(833): [client 101.172.90.164:58872] Content-Type: text/html;
charset=iso-8859-1
[Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199]
core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing
because of FLUSH bucket
[Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531):
mpm child 10333 (gen 0/slot 5) started
[Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199]
core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing
because of FLUSH bucket
[Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614):
[client 101.172.90.164:58882] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200]
http_request.c(393): [client 101.172.90.164:58882] Headers received from client:
[Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Accept: text/html,
application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Accept-Language: en-US
[Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Accept-Encoding: gzip,
deflate, peerdist
[Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Host:
newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Connection: Keep-Alive
[Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDistEx:
MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Cookie:
shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200]
http_request.c(396): [client 101.172.90.164:58882] Authorization: Basic
STgyNTcyODpTSlNoYXJrMWU=
[Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200]
mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200]
mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)[Thu Jun 16
09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515):
[client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL
ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
[Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200]
mod_authnz_ldap.c(536): [client 101.172.90.164:58882] auth_ldap authenticate:
final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount))
[Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client
101.172.90.164:58882] AH01695: auth_ldap authenticate: user MyADAccount
authentication failed; URI / [LDAP: ldap initialization failed][Unknown error]
[Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117):
[client 101.172.90.164:58882] auth phase 'check user' gave status 500: /
[Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200]
http_filters.c(1003): [client 101.172.90.164:58882] Response sent with status
500, headers:
[Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200]
http_filters.c(1012): [client 101.172.90.164:58882] Date: Thu, 16 Jun 2016
16:25:10 GMT
[Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200]
http_filters.c(1015): [client 101.172.90.164:58882] Server: Apache/2.4.20
(Unix)
[Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200]
http_filters.c(833): [client 101.172.90.164:58882] Content-Length: 664
[Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200]
http_filters.c(833): [client 101.172.90.164:58882] Connection: close
[Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200]
http_filters.c(833): [client 101.172.90.164:58882] Content-Type: text/html;
charset=iso-8859-1
[Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200]
core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing
because of FLUSH bucket
[Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200]
core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing
because of FLUSH bucket
My configure env and cmdline was:
CC=/usr/global/opt/SunStudio12.2/bin/cc
export CC
exec ./configure \
--with-mpm=prefork \
--with-included-apr \
--with-pcre=/opt/pcre \
--enable-authnz-ldap \
--enable-ldap \
--with-ldap=ldap \
--with-ldap-lib=/opt/csw/lib \
--with-ldap-include=/opt/csw/include \
--enable-authnz-fcgi \
--enable-cgi \
--enable-ssl \
--with-ssl=/opt/csw \
--with-ssl-lib=/opt/csw/lib \
--with-ssl-include=/opt/csw/include \
--with-crypto \
--with-openssl=/opt/csw \
--enable-modules=all \
--enable-rewrite \
--prefix=/codeadm/http_servers/httpd-${INSTALL_VER}
In http.conf I am setting the path the the CA cert file:
# Specify CA certificate file
LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt
The configuration for the directory I am trying to browse to is:
Options Indexes FollowSymLinks MultiViews Includes
AuthName "Use NIS or Active Directory Login"
AllowOverride None
LDAPReferrals Off
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile "/work/www/HT/HTpasswd.dat"
AuthGroupFile "/work/www/HT/HTgroup.dat"
AuthLDAPURL
ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco
AuthLDAPBindPassword FakePassW0rd
Require valid-user
I have confirmed I can use the "ldapsearch" commandline tool from openldap with
these values to query AD successfully.
Any thoughts on what I can do to make LDAP over SSL work?
ThanksMj
