httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <mapsa...@hotmail.com>
Subject [users@httpd] httpd <---> ldaps
Date Thu, 05 May 2011 03:24:27 GMT





Greetings.

I haven't had to administer Apache for about 6 or 7 years now, but recently jumped back into
it to setup a subversion repository for developers.  I'm working on setting up subversion
on Apache (Linux) to authenticate via ldaps to an Active Directory domain controller.  Front
end subversion client accesses Apache successfully via https.  However, I cannot get Apache
to talk ldaps while verifying the certs.  I've been banging my head against this thing for
weeks now, and am beyond frustrated.  I've read & researched to no end - scoured the Internet
- found others with a similar issue, but no fix yet.  Any help anyone could provide would
be greatly appreciated.

Sincerely,
Dave

RHEL5.3 x86_64

RPMs:

httpd-2.2.3-45

mod_ssl-2.2.3-45

openssl-0.9.8e-12

openldap-2.3.43-12

subversion-1.6.11-7

mod_dav_svn-1.6.11-7



Active Directory - Windows Server 2003


Was already in httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Added to ssl.conf:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem
SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem
SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire

The following httpd.conf configuration works for authenticating via ldaps without verifying
the certificates:

##############################
# Subversion config

LDAPVerifyServerCert off

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################


However, changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlobalCert pointing to
CA cert (shown below) to verify the certificates gives me a 500 error in the subversion client
(Tortoise), and the below error in ssl_error_log.  I also tried adding a second LDAPTrustedGlobalCert
pointing to apache_server cert, to no avail.

httpd.conf:


##############################

# Subversion config


LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem   #####  Tried
with and without this line
LDAPVerifyServerCert on

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################

ssl_error_log:
[Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap authenticate:
user subversion_test authentication failed; URI /repos [LDAP: ldap_simple_bind_s() failed][Can't
contact LDAP server]

I run "openssl s_client -CApath /etc/pki/CA/ -connect domain_controller.domain.com:636" and
receive "Verify return code:  0 (ok)", so it appears the SSL handshake is fine outside of
Apache:

CONNECTED(00000003)
depth=1 /DC=com/DC=domain/CN=domain_controller
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
   i:/DC=com/DC=domain/CN=domain_controller
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
issuer=/DC=com/DC=domain/CN=domain_controller
---
Acceptable client certificate CA names
/DC=com/DC=domain/CN=DOMAIN                  ##### <--- not sure why its returning CN=DOMAIN
and not CN=domain_controller
...                                                                  ##### <--- the rest
are standard CAs (Verisign, etc)
...
...
---
SSL handshake has read 4776 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1                                      ##### <--- also not sure why
its stating TLSv1 protocol instead of SSL.
    Cipher    : RC4-MD5
    Session-ID: .........................................
    Session-ID-ctx:
    Master-Key: .........................................
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1304534983
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

read:errno=0

 		 	   		  
Mime
View raw message