directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Rouse <plaidfar...@gmail.com>
Subject ApacheDS Apache web server ldaps connection problem.
Date Tue, 08 Dec 2009 22:32:16 GMT
I am having issues getting an Apache web server to authenticate users
using the ldaps port of an ApacheDS server. I have been over and over
these settings an I'm almost convinced that there is something simple,
maybe hidden, that I am missing. I'm hoping the collective wisdom of
the internet can succeed where I have failed.  Any information would
be appreciated.

Environment
Windows XP SP3
Apache Web Server 2.2
ApacheDS Server 1.5.5

Current State
1. I can authenticate users from Apache using the unsecure ldap 10389
port. Of course this means that userids/passwords are sent in
plaintext.
2. I can connect to the secure ldap 10686 port with JExplorer client.
It will prompt me to accept an SSL certificate.  I have saved this
certificate for later use.
3. I have written my own Java code that can access and modify ldap
information using the secure 10686 port.  In order for this code to
work I have to import the SSL certificate I saved from JExplorer into
my local jvm cacerts file.
4. There is an Openldap server that the Apache web server can
authenticate users on the secure ldap port.
5. There is some text within the Apache web server error.log that
states the following.

LDAP: SSL support unavailable: LDAP: CA certificates cannot be set
using this method, as they are stored in the registry instead.

I looked into this and there was some reference to storing the
certificate in windows registry using the certificate snap-in under
mmc.  I tried that and installed the certificate in the Certificates
(Local Compter)->Trusted Root Certification Authorities->Certificates
but nothing changed.




Below are the relevant parts of my "server.xml" and "httpd.conf" files
as well as part of the Apache Web Server error.log (there wasn't much
useful information in the apacheds-rolling.log file).

SERVER.XML
  <ldapServer id="ldapServer"
            allowAnonymousAccess="false"
            saslHost="ldap.example.com"
            saslPrincipal="ldap/ldap.example.com@EXAMPLE.COM"
            searchBaseDn="ou=users,ou=system"
            maxTimeLimit="15000"
            maxSizeLimit="1000"
            >
    <transports>
      <tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
backLog="50" enableSSL="false"/>
      <tcpTransport address="localhost" port="10686" enableSSL="true"/>
    </transports>

    <directoryService>#directoryService</directoryService>

    <!-- The list of supported authentication mechanisms.                   -->
    <saslMechanismHandlers>
      <simpleMechanismHandler mech-name="SIMPLE"/>
      <cramMd5MechanismHandler mech-name="CRAM-MD5" />
      <digestMd5MechanismHandler mech-name="DIGEST-MD5" />
      <gssapiMechanismHandler mech-name="GSSAPI" />
      <ntlmMechanismHandler mech-name="NTLM" ntlmProviderFqcn="com.foo.Bar"/>
      <ntlmMechanismHandler mech-name="GSS-SPNEGO"
ntlmProviderFqcn="com.foo.Bar"/>
    </saslMechanismHandlers>

    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and
GSSAPI. -->
    <saslRealms>
      <s:value>example.com</s:value>
      <s:value>apache.org</s:value>
    </saslRealms>

    <!-- the collection of extended operation handlers to install           -->
    <extendedOperationHandlers>
      <startTlsHandler/>
      <gracefulShutdownHandler/>
      <launchDiagnosticUiHandler/>
      <!-- The Stored Procedure Extended Operation is not stable yet
and it may cause security risks.-->
      <!--storedProcedureExtendedOperationHandler/-->
    </extendedOperationHandlers>
  </ldapServer>

  <apacheDS id="apacheDS">
    <ldapServer>#ldapServer</ldapServer>
  </apacheDS>

HTTPS.CONF

   LDAPTrustedGlobalCert CA_DER  "C:/Program Files/Apache Software
Foundation/Apache2.2/certs/ApacheDS_9_28_2009_to_9_28_2010.der"

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs/XXXXXX_Internal_FW_and_SW_Release_Repository">
    Order deny,allow
    Deny from All
    AuthType Basic
    AuthName "xxxxxx.com ldap"
    AuthBasicProvider ldap
    AuthLDAPUrl ldaps://localhost10:686/dc=xxxxxx,dc=com
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=Frank Rouse,ou=Users,dc=xxxxxx,dc=com"
    AuthLDAPBindPassword xxxxxx
    Require valid-user
    Satisfy any
</Directory>

ERROR.LOG

[Fri Dec 04 15:51:08 2009] [info] APR LDAP: Built with Microsoft
Corporation. LDAP SDK
[Fri Dec 04 15:51:08 2009] [info] LDAP: SSL support unavailable: LDAP:
CA certificates cannot be set using this method, as they are stored in
the registry instead.
.
.
.
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=sensus,dc=com
[Tue Dec 08 16:13:58 2009] [warn] [client 127.0.0.1] [4628] auth_ldap
authenticate: user frouse authentication failed; URI
/Sensus_Internal_FW_and_SW_Release_Repository/ [LDAP:
ldap_simple_bind_s() failed][Server Down]

Thanks
--
Always look on the bright side of life.
                                    - M Python

Mime
View raw message