httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dick Davies <rasput...@hellooperator.net>
Subject Re: [users@httpd] Apache 2.0.52 / mod_ldap / mod_auth_ldap / openldap 2.1.30 / tls
Date Wed, 10 Nov 2004 16:41:44 GMT
* Mailing List <mailinglist@kikamedical.net> [1107 13:07]:
> Hi,
> 
> I have a problem to make apache 2.0.52 doing an authentification
> against an openldap 2.1.30 server using an TLS encrypted
> connexion.

TLS != SSL - SSL is what you run on port 636 (ldaps), and it's encrypted
from the first packet. startTLS is run over the usual 389 port, and happens
when the server effectlvey says 'start encryption' (you can see the difference
if you run tcpdump or a similar packet sniffer).

I don't think mod_auth_ldap (for apache2) can do TLS
connections (i.e. StartTLS over port 389).
I had to enable a ldaps:// listener in openldap
for this to work... it's easy enough to do , just add a 'ldaps://whatever'
after your ldap://whatever in the slapd init script.

 
> Here is my global config of apache for ldap stuffs :
> 
> <IfDefine LDAP>
>   <IfModule !util_ldap.c>
>     LoadModule ldap_module    extramodules/mod_ldap.so
>     LDAPTrustedCA conf/ssl/kika.pem
>     LDAPTrustedCAType BASE64_FILE
>   </IfModule>
> </IfDefine>
> 
> <IfDefine AUTH_LDAP>
>   <IfModule !mod_auth_ldap.c>
>     LoadModule auth_ldap_module   extramodules/mod_auth_ldap.so
>   </IfModule>
> </IfDefine>
> 
> <IfModule util_ldap.c>
> 
>     LDAPSharedCacheSize 200000
>     LDAPCacheEntries 1024
>     LDAPCacheTTL 600
>     LDAPOpCacheEntries 1024
>     LDAPOpCacheTTL 600
> 
>     <Location /ldap-status>
>         SetHandler ldap-status
>         Order deny,allow
>         Deny from all
>         Allow from 127.0.0.1
>         Allow from 10.70.30.132
>         AuthType basic
>         AuthName "Test LDAP"
>         AuthLDAPEnabled on
>         AuthLDAPURL ldap://mars.kika.loc/dc=kikamedical,dc=net?uid?sub
>         AuthLDAPAuthoritative on
>         require valid-user
>     </Location>
> 
> </IfModule>
> 
> The error message onto the apache side is :
> 
> [Wed Nov 10 13:13:10 2004] [warn] [client 127.0.0.1] [8704] auth_ldap 
> authenticate: user dsacchet authentication failed; URI /ldap-status 
> [ldap_search_ext_s() for user failed][Strong(er) authentication required]
> 
> It is normal because I require an ssf of 2 which is only the case with
> plain password and an encrypted connexion (tls for the case)
> 
> If I change :
> 
> AuthLDAPURL ldap://mars.kika.loc/dc=kikamedical,dc=net?uid?sub
> 
> to :
> 
> AuthLDAPURL ldaps://mars.kika.loc:389/dc=kikamedical,dc=net?uid?sub
> 
> The apache side says me :
> 
> [Wed Nov 10 13:18:19 2004] [warn] [client 127.0.0.1] [8834] auth_ldap 
> authenticate: user dsacchet authentication failed; URI /ldap-status 
> [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

This looks like it's either ignoring the port or  
> And onto the ldap server, into the log file, I only see a connection 
> immediatily followed by a connection closed.
> 
> If I delete the :389, I returned to a "Can't contact server" because my 
> ldap server only accept tls session on port 389 (and not ssl onto the 
> ldaps port which I don't know :)
> 
> So my question is, how to activate TLS connection ?
> 
> Thx for your help
> 
> Denis Sacchet
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

-- 
You may need to metaphorically make a deal with the devil.
By 'devil' I mean robot devil and by 'metaphorically' I mean get your coat. - Bender
Rasputin :: Jack of All Trades - Master of Nuns

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message