directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@gmail.com>
Subject Re: ApacheDS Apache web server ldaps connection problem.
Date Wed, 09 Dec 2009 01:22:30 GMT
Hi Frank,

A very thorough email.  Thanks for doing the work to make trouble shooting
this problem easier.  I do however have one more think to ask of you.  Let's
start ApacheDS in debug mode and setup the log4j.properties file so that the
frontend ldap wire protocol code is executing to see what's happening when
you hit it with httpd.

Just use the following log4j.properties file after backing up your original
configuration:

# --- start ---

log4j.rootCategory=WARN, stdout, R

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout

log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=apacheds-rolling.log

log4j.appender.R.MaxFileSize=1024KB
# Keep some backup files
log4j.appender.R.MaxBackupIndex=5

log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=[%d{HH:mm:ss}] %p [%c] - %m%n

log4j.appender.stdout.layout.ConversionPattern=[%d{HH:mm:ss}] %p [%c] - %m%n

# with these we'll not get innundated when switching to DEBUG
log4j.logger.org.apache.directory.server.ldap.*=DEBUG
log4j.logger.org.springframework=WARN
log4j.logger.org.apache.directory.shared.codec=WARN
log4j.logger.org.apache.directory.shared.asn1=WARN

log4j.logger.org.apache.directory.server.schema.registries=WARN

#---- end ----

NOTE the following line ....

log4j.logger.org.apache.directory.server.ldap.*=DEBUG

When setup and ADS has restarted, hit the LDAPS port with httpd.  Then send
me the logs so we can see if you're actually hitting the SSL port. This
configuration will also log output to a log file so if you loose data on the
screen don't worry it will be put into the apacheds-rolling.log file.

Send me the region of the logs where you're seeing the SSL port hit if at
all.  Just as a test you might want to see what this looks like when you it
it with your client code which worked (right?).

Alex

On Tue, Dec 8, 2009 at 5:32 PM, Frank Rouse <plaidfarmer@gmail.com> wrote:

> I am having issues getting an Apache web server to authenticate users
> using the ldaps port of an ApacheDS server. I have been over and over
> these settings an I'm almost convinced that there is something simple,
> maybe hidden, that I am missing. I'm hoping the collective wisdom of
> the internet can succeed where I have failed.  Any information would
> be appreciated.
>
> Environment
> Windows XP SP3
> Apache Web Server 2.2
> ApacheDS Server 1.5.5
>
> Current State
> 1. I can authenticate users from Apache using the unsecure ldap 10389
> port. Of course this means that userids/passwords are sent in
> plaintext.
> 2. I can connect to the secure ldap 10686 port with JExplorer client.
> It will prompt me to accept an SSL certificate.  I have saved this
> certificate for later use.
> 3. I have written my own Java code that can access and modify ldap
> information using the secure 10686 port.  In order for this code to
> work I have to import the SSL certificate I saved from JExplorer into
> my local jvm cacerts file.
> 4. There is an Openldap server that the Apache web server can
> authenticate users on the secure ldap port.
> 5. There is some text within the Apache web server error.log that
> states the following.
>
> LDAP: SSL support unavailable: LDAP: CA certificates cannot be set
> using this method, as they are stored in the registry instead.
>
> I looked into this and there was some reference to storing the
> certificate in windows registry using the certificate snap-in under
> mmc.  I tried that and installed the certificate in the Certificates
> (Local Compter)->Trusted Root Certification Authorities->Certificates
> but nothing changed.
>
>
>
>
> Below are the relevant parts of my "server.xml" and "httpd.conf" files
> as well as part of the Apache Web Server error.log (there wasn't much
> useful information in the apacheds-rolling.log file).
>
> SERVER.XML
>  <ldapServer id="ldapServer"
>            allowAnonymousAccess="false"
>            saslHost="ldap.example.com"
>            saslPrincipal="ldap/ldap.example.com@EXAMPLE.COM"
>            searchBaseDn="ou=users,ou=system"
>            maxTimeLimit="15000"
>            maxSizeLimit="1000"
>            >
>    <transports>
>      <tcpTransport address="0.0.0.0" port="10389" nbThreads="8"
> backLog="50" enableSSL="false"/>
>      <tcpTransport address="localhost" port="10686" enableSSL="true"/>
>    </transports>
>
>    <directoryService>#directoryService</directoryService>
>
>    <!-- The list of supported authentication mechanisms.
> -->
>    <saslMechanismHandlers>
>      <simpleMechanismHandler mech-name="SIMPLE"/>
>      <cramMd5MechanismHandler mech-name="CRAM-MD5" />
>      <digestMd5MechanismHandler mech-name="DIGEST-MD5" />
>      <gssapiMechanismHandler mech-name="GSSAPI" />
>      <ntlmMechanismHandler mech-name="NTLM"
> ntlmProviderFqcn="com.foo.Bar"/>
>      <ntlmMechanismHandler mech-name="GSS-SPNEGO"
> ntlmProviderFqcn="com.foo.Bar"/>
>    </saslMechanismHandlers>
>
>    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and
> GSSAPI. -->
>    <saslRealms>
>      <s:value>example.com</s:value>
>      <s:value>apache.org</s:value>
>    </saslRealms>
>
>    <!-- the collection of extended operation handlers to install
> -->
>    <extendedOperationHandlers>
>      <startTlsHandler/>
>      <gracefulShutdownHandler/>
>      <launchDiagnosticUiHandler/>
>      <!-- The Stored Procedure Extended Operation is not stable yet
> and it may cause security risks.-->
>      <!--storedProcedureExtendedOperationHandler/-->
>    </extendedOperationHandlers>
>  </ldapServer>
>
>  <apacheDS id="apacheDS">
>    <ldapServer>#ldapServer</ldapServer>
>  </apacheDS>
>
> HTTPS.CONF
>
>   LDAPTrustedGlobalCert CA_DER  "C:/Program Files/Apache Software
> Foundation/Apache2.2/certs/ApacheDS_9_28_2009_to_9_28_2010.der"
>
> <Directory "C:/Program Files/Apache Software
> Foundation/Apache2.2/htdocs/XXXXXX_Internal_FW_and_SW_Release_Repository">
>    Order deny,allow
>    Deny from All
>    AuthType Basic
>    AuthName "xxxxxx.com ldap"
>    AuthBasicProvider ldap
>    AuthLDAPUrl ldaps://localhost10:686/dc=xxxxxx,dc=com
>    AuthzLDAPAuthoritative on
>    AuthLDAPBindDN "cn=Frank Rouse,ou=Users,dc=xxxxxx,dc=com"
>    AuthLDAPBindPassword xxxxxx
>    Require valid-user
>    Satisfy any
> </Directory>
>
> ERROR.LOG
>
> [Fri Dec 04 15:51:08 2009] [info] APR LDAP: Built with Microsoft
> Corporation. LDAP SDK
> [Fri Dec 04 15:51:08 2009] [info] LDAP: SSL support unavailable: LDAP:
> CA certificates cannot be set using this method, as they are stored in
> the registry instead.
> .
> .
> .
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
> 127.0.0.1] [4628] auth_ldap authenticate: using URL
> ldaps://localhost:10686/dc=sensus,dc=com
> [Tue Dec 08 16:13:58 2009] [warn] [client 127.0.0.1] [4628] auth_ldap
> authenticate: user frouse authentication failed; URI
> /Sensus_Internal_FW_and_SW_Release_Repository/ [LDAP:
> ldap_simple_bind_s() failed][Server Down]
>
> Thanks
> --
> Always look on the bright side of life.
>                                     - M Python
>



-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message