From users-return-2873-apmail-directory-users-archive=directory.apache.org@directory.apache.org Tue Dec 08 23:05:38 2009
Return-Path: <users-return-2873-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: (qmail 70671 invoked from network); 8 Dec 2009 23:05:37 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 8 Dec 2009 23:05:37 -0000
Received: (qmail 45682 invoked by uid 500); 8 Dec 2009 23:05:37 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 45614 invoked by uid 500); 8 Dec 2009 23:05:36 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Delivered-To: moderator for users@directory.apache.org
Received: (qmail 5925 invoked by uid 99); 8 Dec 2009 22:32:40 -0000
X-ASF-Spam-Status: No, hits=-2.6 required=5.0
	tests=BAYES_00
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of plaidfarmer@gmail.com designates 209.85.219.217 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:date:message-id:subject
         :from:to:content-type:content-transfer-encoding;
        bh=fvF+CXtTRmItvTn/5IQlNFDby+TY1/NI/4qA1/wH4xk=;
        b=n1GMicqD0O+M89937G82/dJR+SBu2BFi5t2mJNHPTadV69yJO2+lswzdXB2cwz7/85
         ipbsogeI4XLZlNfNzZ46gUe9kE5NeSECH2F6znCf8qiINF9lnp9pvxof4iqGm5pbOkgL
         KbB8EArKJMlR9XJumVDEG3iO1utNbDlxkMMvs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=k6XacrniE3N5NRAJJbBeZaQ1bfMI1WYO74H2qYOVyM7KQInod8NDJA4eNZqkLLh/HS
         NjAwD6SM2kXH/XpsrVZs2psMRHyY5rYWl9iXuJkoCMHsE8TSFJYKAz5WZRqwAY1RcMSY
         eCNu3V1kWc4dQhYVApQdj989h2Kx/btW1QK/E=
MIME-Version: 1.0
Date: Tue, 8 Dec 2009 17:32:16 -0500
Message-ID: <69e517540912081432h13c273c1qf9e9bfeec424abac@mail.gmail.com>
Subject: ApacheDS Apache web server ldaps connection problem.
From: Frank Rouse <plaidfarmer@gmail.com>
To: users@directory.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I am having issues getting an Apache web server to authenticate users
using the ldaps port of an ApacheDS server. I have been over and over
these settings an I'm almost convinced that there is something simple,
maybe hidden, that I am missing. I'm hoping the collective wisdom of
the internet can succeed where I have failed.  Any information would
be appreciated.

Environment
Windows XP SP3
Apache Web Server 2.2
ApacheDS Server 1.5.5

Current State
1. I can authenticate users from Apache using the unsecure ldap 10389
port. Of course this means that userids/passwords are sent in
plaintext.
2. I can connect to the secure ldap 10686 port with JExplorer client.
It will prompt me to accept an SSL certificate.  I have saved this
certificate for later use.
3. I have written my own Java code that can access and modify ldap
information using the secure 10686 port.  In order for this code to
work I have to import the SSL certificate I saved from JExplorer into
my local jvm cacerts file.
4. There is an Openldap server that the Apache web server can
authenticate users on the secure ldap port.
5. There is some text within the Apache web server error.log that
states the following.

LDAP: SSL support unavailable: LDAP: CA certificates cannot be set
using this method, as they are stored in the registry instead.

I looked into this and there was some reference to storing the
certificate in windows registry using the certificate snap-in under
mmc.  I tried that and installed the certificate in the Certificates
(Local Compter)->Trusted Root Certification Authorities->Certificates
but nothing changed.




Below are the relevant parts of my "server.xml" and "httpd.conf" files
as well as part of the Apache Web Server error.log (there wasn't much
useful information in the apacheds-rolling.log file).

SERVER.XML
  <ldapServer id=3D"ldapServer"
            allowAnonymousAccess=3D"false"
            saslHost=3D"ldap.example.com"
            saslPrincipal=3D"ldap/ldap.example.com@EXAMPLE.COM"
            searchBaseDn=3D"ou=3Dusers,ou=3Dsystem"
            maxTimeLimit=3D"15000"
            maxSizeLimit=3D"1000"
            >
    <transports>
      <tcpTransport address=3D"0.0.0.0" port=3D"10389" nbThreads=3D"8"
backLog=3D"50" enableSSL=3D"false"/>
      <tcpTransport address=3D"localhost" port=3D"10686" enableSSL=3D"true"=
/>
    </transports>

    <directoryService>#directoryService</directoryService>

    <!-- The list of supported authentication mechanisms.                  =
 -->
    <saslMechanismHandlers>
      <simpleMechanismHandler mech-name=3D"SIMPLE"/>
      <cramMd5MechanismHandler mech-name=3D"CRAM-MD5" />
      <digestMd5MechanismHandler mech-name=3D"DIGEST-MD5" />
      <gssapiMechanismHandler mech-name=3D"GSSAPI" />
      <ntlmMechanismHandler mech-name=3D"NTLM" ntlmProviderFqcn=3D"com.foo.=
Bar"/>
      <ntlmMechanismHandler mech-name=3D"GSS-SPNEGO"
ntlmProviderFqcn=3D"com.foo.Bar"/>
    </saslMechanismHandlers>

    <!-- The realms serviced by this SASL host, used by DIGEST-MD5 and
GSSAPI. -->
    <saslRealms>
      <s:value>example.com</s:value>
      <s:value>apache.org</s:value>
    </saslRealms>

    <!-- the collection of extended operation handlers to install          =
 -->
    <extendedOperationHandlers>
      <startTlsHandler/>
      <gracefulShutdownHandler/>
      <launchDiagnosticUiHandler/>
      <!-- The Stored Procedure Extended Operation is not stable yet
and it may cause security risks.-->
      <!--storedProcedureExtendedOperationHandler/-->
    </extendedOperationHandlers>
  </ldapServer>

  <apacheDS id=3D"apacheDS">
    <ldapServer>#ldapServer</ldapServer>
  </apacheDS>

HTTPS.CONF

   LDAPTrustedGlobalCert CA_DER  "C:/Program Files/Apache Software
Foundation/Apache2.2/certs/ApacheDS_9_28_2009_to_9_28_2010.der"

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs/XXXXXX_Internal_FW_and_SW_Release_Repository">
    Order deny,allow
    Deny from All
    AuthType Basic
    AuthName "xxxxxx.com ldap"
    AuthBasicProvider ldap
    AuthLDAPUrl ldaps://localhost10:686/dc=3Dxxxxxx,dc=3Dcom
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "cn=3DFrank Rouse,ou=3DUsers,dc=3Dxxxxxx,dc=3Dcom"
    AuthLDAPBindPassword xxxxxx
    Require valid-user
    Satisfy any
</Directory>

ERROR.LOG

[Fri Dec 04 15:51:08 2009] [info] APR LDAP: Built with Microsoft
Corporation. LDAP SDK
[Fri Dec 04 15:51:08 2009] [info] LDAP: SSL support unavailable: LDAP:
CA certificates cannot be set using this method, as they are stored in
the registry instead.
.
.
.
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [4628] auth_ldap authenticate: using URL
ldaps://localhost:10686/dc=3Dsensus,dc=3Dcom
[Tue Dec 08 16:13:58 2009] [warn] [client 127.0.0.1] [4628] auth_ldap
authenticate: user frouse authentication failed; URI
/Sensus_Internal_FW_and_SW_Release_Repository/ [LDAP:
ldap_simple_bind_s() failed][Server Down]

Thanks
--
Always look on the bright side of life.
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 - M=
 Python