Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7883B2D95 for ; Thu, 5 May 2011 03:25:04 +0000 (UTC) Received: (qmail 9286 invoked by uid 500); 5 May 2011 03:25:01 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 9244 invoked by uid 500); 5 May 2011 03:25:00 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 9236 invoked by uid 99); 5 May 2011 03:24:59 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 May 2011 03:24:59 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RFC_ABUSE_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of mapsacct@hotmail.com designates 65.55.111.82 as permitted sender) Received: from [65.55.111.82] (HELO blu0-omc2-s7.blu0.hotmail.com) (65.55.111.82) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 May 2011 03:24:48 +0000 Received: from BLU140-W27 ([65.55.111.73]) by blu0-omc2-s7.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 May 2011 20:24:27 -0700 Message-ID: Content-Type: multipart/alternative; boundary="_2d504413-a679-4e73-9dbc-87ee7710c8ec_" X-Originating-IP: [71.62.205.113] From: Dave To: Date: Wed, 4 May 2011 23:24:27 -0400 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 05 May 2011 03:24:27.0704 (UTC) FILETIME=[F08CD380:01CC0AD3] X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] httpd <---> ldaps --_2d504413-a679-4e73-9dbc-87ee7710c8ec_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings. I haven't had to administer Apache for about 6 or 7 years now=2C but recent= ly jumped back into it to setup a subversion repository for developers. I'= m working on setting up subversion on Apache (Linux) to authenticate via ld= aps to an Active Directory domain controller. Front end subversion client = accesses Apache successfully via https. However=2C I cannot get Apache to = talk ldaps while verifying the certs. I've been banging my head against th= is thing for weeks now=2C and am beyond frustrated. I've read & researched= to no end - scoured the Internet - found others with a similar issue=2C bu= t no fix yet. Any help anyone could provide would be greatly appreciated. Sincerely=2C Dave RHEL5.3 x86_64 RPMs: httpd-2.2.3-45 mod_ssl-2.2.3-45 openssl-0.9.8e-12 openldap-2.3.43-12 subversion-1.6.11-7 mod_dav_svn-1.6.11-7 Active Directory - Windows Server 2003 Was already in httpd.conf: LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so Added to ssl.conf: SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLCipherSuite SSLv3:+HIGH:+MEDIUM SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire The following httpd.conf configuration works for authenticating via ldaps w= ithout verifying the certificates: ############################## # Subversion config LDAPVerifyServerCert off DAV svn SVNPath /opt/local/svn/repos SSLRequireSSL Order deny=2Callow Deny from All AuthName "Subversion Repository" AuthType Basic AuthBasicProvider ldap Satisfy any Require ldap-group CN=3DSubversion=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dco= m AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=3DUsers=2CDC= =3Ddomain=2CDC=3Dcom?sAMAccountName?sub?(objectClass=3D*)" SSL AuthLDAPBindDN "CN=3DApache=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom" AuthLDAPBindPassword "password" CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=3DSVN-ACTION ############################## However=2C changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlob= alCert pointing to CA cert (shown below) to verify the certificates gives m= e a 500 error in the subversion client (Tortoise)=2C and the below error in= ssl_error_log. I also tried adding a second LDAPTrustedGlobalCert pointin= g to apache_server cert=2C to no avail. httpd.conf: ############################## # Subversion config LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem = ##### Tried with and without this line LDAPVerifyServerCert on DAV svn SVNPath /opt/local/svn/repos SSLRequireSSL Order deny=2Callow Deny from All AuthName "Subversion Repository" AuthType Basic AuthBasicProvider ldap Satisfy any Require ldap-group CN=3DSubversion=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dco= m AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=3DUsers=2CDC= =3Ddomain=2CDC=3Dcom?sAMAccountName?sub?(objectClass=3D*)" SSL AuthLDAPBindDN "CN=3DApache=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom" AuthLDAPBindPassword "password" CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=3DSVN-ACTION ############################## ssl_error_log: [Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap= authenticate: user subversion_test authentication failed=3B URI /repos [LD= AP: ldap_simple_bind_s() failed][Can't contact LDAP server] I run "openssl s_client -CApath /etc/pki/CA/ -connect domain_controller.dom= ain.com:636" and receive "Verify return code: 0 (ok)"=2C so it appears the= SSL handshake is fine outside of Apache: CONNECTED(00000003) depth=3D1 /DC=3Dcom/DC=3Ddomain/CN=3Ddomain_controller verify return:1 depth=3D0 /C=3DUS/ST=3DState/L=3DCity/O=3DOrg/OU=3DOrgUnit/CN=3Ddomain_cont= roller.domain.com verify return:1 --- Certificate chain 0 s:/C=3DUS/ST=3DState/L=3DCity/O=3DOrg/OU=3DOrgUnit/CN=3Ddomain_controlle= r.domain.com i:/DC=3Dcom/DC=3Ddomain/CN=3Ddomain_controller --- Server certificate -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- subject=3D/C=3DUS/ST=3DState/L=3DCity/O=3DOrg/OU=3DOrgUnit/CN=3Ddomain_cont= roller.domain.com issuer=3D/DC=3Dcom/DC=3Ddomain/CN=3Ddomain_controller --- Acceptable client certificate CA names /DC=3Dcom/DC=3Ddomain/CN=3DDOMAIN ##### <--- not sure why = its returning CN=3DDOMAIN and not CN=3Ddomain_controller ... ##### = <--- the rest are standard CAs (Verisign=2C etc) ... ... --- SSL handshake has read 4776 bytes and written 443 bytes --- New=2C TLSv1/SSLv3=2C Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 ##### <--- also = not sure why its stating TLSv1 protocol instead of SSL. Cipher : RC4-MD5 Session-ID: ......................................... Session-ID-ctx: Master-Key: ......................................... Key-Arg : None Krb5 Principal: None Start Time: 1304534983 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=3D0 = --_2d504413-a679-4e73-9dbc-87ee7710c8ec_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Greetings.

I haven't had to administer Apache for about 6 or 7 years= now=2C but recently jumped back into it to setup a subversion repository f= or developers. =3B I'm working on setting up subversion on Apache (Linu= x) to authenticate via ldaps to an Active Directory domain controller. = =3B Front end subversion client accesses Apache successfully via https.&nbs= p=3B However=2C I cannot get Apache to talk ldaps while verifying the certs= . =3B I've been banging my head against this thing for weeks now=2C and= am beyond frustrated. =3B I've read &=3B researched to no end - sco= ured the Internet - found others with a similar issue=2C but no fix yet.&nb= sp=3B Any help anyone could provide would be greatly appreciated.

Si= ncerely=2C
Dave

RHEL5.3 x86_64
RPMs:
httpd-2.2.3-45
mod_ssl-2.2.3-45
openssl-0.9.8e-12
openldap-2.3.43-12
subversion-1.6.11-7
mod_dav_svn-1.6.11-7

Active Directory - Windows Server 2003

Was already in httpd.conf:
LoadModule ldap_module modules/mod_ldap.s= o
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Added = to ssl.conf:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSe= ed connect file:/dev/urandom 1024
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
= SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem
SSLCertifica= teKeyFile /etc/pki/tls/apache_server_key.pem
SSLCACertificateFile /etc/p= ki/CA/domain_controller_CA_cert.pem
SSLVerifyClient require
SSLVerify= Depth 1
SSLOptions +StrictRequire

The following httpd.conf config= uration works for authenticating via ldaps without verifying the certificat= es:

##############################
# Subversion config

LDA= PVerifyServerCert off

<=3BLocation /repos>=3B
=3B = =3B =3B DAV svn
=3B =3B =3B SVNPath /opt/local/svn/repo= s
=3B =3B =3B =3B =3B =3B =3B SSLRequireSSL=

=3B =3B =3B Order deny=2Callow
=3B =3B&nbs= p=3B Deny from All
=3B =3B =3B AuthName "Subversion Reposit= ory"
=3B =3B =3B AuthType Basic
=3B =3B =3B= AuthBasicProvider ldap
=3B =3B =3B Satisfy any
=3B= =3B =3B Require ldap-group CN=3DSubversion=2CCN=3DUsers=2CDC=3Ddom= ain=2CDC=3Dcom
=3B =3B =3B AuthLDAPURL "ldaps://domain_cont= roller.domain.com:636/CN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom?sAMAccountName?su= b?(objectClass=3D*)" SSL
=3B =3B =3B AuthLDAPBindDN "CN=3DA= pache=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom"
=3B =3B =3B Au= thLDAPBindPassword "password"

<=3B/Location>=3B

CustomLog= logs/svn_log "%t %u %{SVN-ACTION}e" env=3DSVN-ACTION

##############= ################

However=2C changing LDAPVerifyServerCert to "on= " and adding LDAPTrustedGlobalCert pointing to CA cert (shown below) to ver= ify the certificates gives me a 500 error in the subversion client (Tortois= e)=2C and the below error in ssl_error_log. =3B I also tried adding a s= econd LDAPTrustedGlobalCert pointing to apache_server cert=2C to no avail.<= br>
httpd.conf:

##############################
# Subversion config

LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.p= em
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cer= t.pem =3B =3B ##### =3B Tried with and without this line
LDA= PVerifyServerCert on

<=3BLocation /repos>=3B
=3B =3B= =3B DAV svn
=3B =3B =3B SVNPath /opt/local/svn/repos =3B =3B =3B =3B =3B =3B =3B SSLRequireSSL
=3B =3B =3B Order deny=2Callow
=3B =3B = =3B Deny from All
=3B =3B =3B AuthName "Subversion Reposito= ry"
=3B =3B =3B AuthType Basic
=3B =3B =3B = AuthBasicProvider ldap
=3B =3B =3B Satisfy any
=3B&= nbsp=3B =3B Require ldap-group CN=3DSubversion=2CCN=3DUsers=2CDC=3Ddoma= in=2CDC=3Dcom
=3B =3B =3B AuthLDAPURL "ldaps://domain_contr= oller.domain.com:636/CN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom?sAMAccountName?sub= ?(objectClass=3D*)" SSL
=3B =3B =3B AuthLDAPBindDN "CN=3DAp= ache=2CCN=3DUsers=2CDC=3Ddomain=2CDC=3Dcom"
=3B =3B =3B Aut= hLDAPBindPassword "password"

<=3B/Location>=3B

CustomLog = logs/svn_log "%t %u %{SVN-ACTION}e" env=3DSVN-ACTION

###############= ###############

ssl_error_log:
[Wed May 04 17:31:42 2011] [warn] = [client 192.168.151.74] [27453] auth_ldap authenticate: user subversion_tes= t authentication failed=3B URI /repos [LDAP: ldap_simple_bind_s() failed][C= an't contact LDAP server]

I run "openssl s_client -CApath /etc/pki/C= A/ -connect domain_controller.domain.com:636" and receive "Verify return co= de: =3B 0 (ok)"=2C so it appears the SSL handshake is fine outside of A= pache:

CONNECTED(00000003)
depth=3D1 /DC=3Dcom/DC=3Ddomain/CN=3Dd= omain_controller
verify return:1
depth=3D0 /C=3DUS/ST=3DState/L=3DCit= y/O=3DOrg/OU=3DOrgUnit/CN=3Ddomain_controller.domain.com
verify return:1=
---
Certificate chain
=3B0 s:/C=3DUS/ST=3DState/L=3DCity/O= =3DOrg/OU=3DOrgUnit/CN=3Ddomain_controller.domain.com
=3B =3B i= :/DC=3Dcom/DC=3Ddomain/CN=3Ddomain_controller
---
Server certificate<= br>-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----subject=3D/C=3DUS/ST=3DState/L=3DCity/O=3DOrg/OU=3DOrgUnit/CN=3Ddomain_co= ntroller.domain.com
issuer=3D/DC=3Dcom/DC=3Ddomain/CN=3Ddomain_controlle= r
---
Acceptable client certificate CA names
/DC=3Dcom/DC=3Ddomain= /CN=3DDOMAIN =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= ##### <=3B--- not sure why its returning CN=3DDOMAIN and not CN=3Ddomain= _controller
... =3B =3B =3B =3B =3B =3B =3B&= nbsp=3B =3B =3B =3B =3B =3B =3B =3B =3B&nbs= p=3B =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= =3B =3B ##### <=3B--- the rest are standard CAs (Verisign=2C etc= )
...
...
---
SSL handshake has read 4776 bytes and written 443= bytes
---
New=2C TLSv1/SSLv3=2C Cipher is RC4-MD5
Server public k= ey is 2048 bit
Secure Renegotiation IS supported
Compression: NONEExpansion: NONE
SSL-Session:
=3B =3B =3B Protocol = =3B : TLSv1 =3B =3B =3B =3B =3B =3B =3B =3B= =3B =3B =3B =3B =3B =3B =3B =3B =3B&nb= sp=3B =3B =3B =3B =3B =3B =3B =3B =3B = =3B =3B =3B =3B =3B =3B =3B =3B =3B =3B= =3B ##### <=3B--- also not sure why its stating TLSv1 protocol inste= ad of SSL.
=3B =3B =3B Cipher =3B =3B =3B : RC4= -MD5
=3B =3B =3B Session-ID: ..............................= ...........
=3B =3B =3B Session-ID-ctx:
=3B =3B= =3B Master-Key: .........................................
=3B&= nbsp=3B =3B Key-Arg =3B =3B : None
=3B =3B =3B = Krb5 Principal: None
=3B =3B =3B Start Time: 1304534983
= =3B =3B =3B Timeout =3B =3B : 300 (sec)
=3B&nb= sp=3B =3B Verify return code: 0 (ok)
---

read:errno=3D0
= --_2d504413-a679-4e73-9dbc-87ee7710c8ec_--