httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gernot Hassenpflug <gernot.hassenpf...@asahinet.com>
Subject [users@httpd] how to configure mod_authnz_ldap to use LDAPS with non-standard port?
Date Fri, 28 Feb 2014 02:44:12 GMT
Dear group,
This is my first post here, so please be kind if I am missing some
simple information I should check first.

(I posted several days ago but after replying to the authentication mail
I saw nothing, so I am trying again, with a different email address)

I am trying to figure out how to force mod_authnz_ldap to use a
non-standard port for an LDAPS connection using
ldaps://<server>:<port>/....

At present we simply get an Internal Error in the browser and the
following type of message in the logs, with no packets at all detected
with tcpdump:
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Background
----------

At our company, we use CentOS5 and CentOS6 for LDAP gateway servers.
These servers run httpd with mod_authnz_ldap set up to connect to
customers' LDAP and AD servers.

CentOS5:
openldap: 2.3.43-27.el5_10
httpd: 2.2.3-31.el5.centos.4

CentOS6:
openldap: 2.4.23-34.el6_5.1
httpd: 2.4.23-34.el6_5.1

In the past, there had been problems with mutually-exclusive mod_ldap
settings needed to get either non-SSL (standard port 389 or non-standard
ports) or SSL (on standard port 636) to work with mod_authnz_ldap
(either "LDAPTrustedMode SSL" or "LDAPTrustedMode None" required), so we
have two types of setup based on that.

We have successfully used the non-SSL URI (LDAP) with non-standard
ports, as in this snippet for an AD server connection:

<AuthnProviderAlias ldap ldapservice1>
AuthLDAPBindDN "cn=...,ou=...,dc=...,dc=..."
AuthLDAPBindPassword "..."
AuthLDAPURL "ldap://<serverIP1>:<port>,<serverIP2>:<port>/ou=...,dc=...,dc=...?sAMAccountName"
</AuthnProviderAlias>

ldapsearch
----------

ldapsearch works perfectly well using -H ldaps://<server>:<port>... for
a non-standard port, so the /etc/openldap/ldap.conf file seems to be in
order. The only change from default is the addition of the following
line to permit connection to AD server without certificate verification
(sidenote: we did use openssl to verify that the chain has no problems):
TLS_REQCERT never

Problem with non-standard port for ldaps URI
--------------------------------------------

However, when using ldaps://<server>:<port> syntax, the module still
insists on using port 636.

For my mod_ldap settings I have made sure to turn off the extension
LDAPTrustedMode, since it defaults to port 636 if set to "SSL". I also
have the local CA authority certificate available (although usually it
is simple to test that the LDAP server queries works with
"LDAPVerifyServerCert off")

Use of tcpdump shows no packets at all, but as soon as port is set to
636, or left our entirely, then packets are shown and the connection
works.


Here is the complete general configuration of mod_authnz_ldap:

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/<ADserverCAcert>.pem
LDAPVerifyServerCert on
#LDAPTrustedMode SSL
#LDAPTrustedMode NONE

LDAPConnectionTimeout 1


Here the configuration of the directory to be protected:

<Directory "/var/www/protecteddir">
  # from mod_auth_basic:
  AuthType basic
  AuthName "privateauth user authentication"
  AuthBasicProvider ldap
  # from mod_authnz_ldap:
  AuthzLDAPAuthoritative off
  AuthLDAPBindDN "cn=...,ou=...,dc=...,dc=..."
  AuthLDAPBindPassword RoSYS302
  AuthLDAPURL
ldaps://<server>:50001/ou=...,ou=...,dc=...,dc=...,dc=...?sAMAccountName?sub?(objectClass=person)
  Require valid-user
</Directory>


Is this a configuration bug (LDAP settings forcing a default
somewhere?), a misconfiguration of mod_authnz_ldap, or a bug?

Any hints or advice much appreciated.
Regards,
Gernot Hassenpflug
Tokyo, Japan
-- 
ASAHI Net, Inc.
Tokyo, Japan


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message