| View previous topic :: View next topic |
| Author |
Message |
tomblue
n00b
Joined: 29 Jul 2008
Posts: 14
Location: Ilmenau / Germany
|
 Posted: Tue Jul 28, 2009 2:01 pm Post subject: [Solved] getting Apache 2.2 to authenticate via secure ldap |
 |
|
Hi all,
I'm struggling getting my Apache server to authenticate via secure ldap against an existing Windows 2k3 domain controller so that user can access a subversion repository with their known user credentials. Unencrypted authentication using "ldap://..." works fine though!
- I've exported the server certificate from the Windows box and stored it on the Gentoo server.
- converted it to pem format | Code: | | openssl x509 -in ActiveDirectory_Cert.pem.cer -out ActiveDirectory_Cert.pem |
- checked that the certificate actually works | Code: | | openssl s_client -connect dc01.domain.prv:3269 -CAfile /etc/openldap/ssl/ActiveDirectory_Cert.pem |
which returned a satisfying | Code: | | Verify return code: 0 (ok) |
- tweaked the ldap.conf and added the following lines of code: | Code: | TLS_REQCERT allow
TLS_CACERT /etc/openldap/ssl/ActiveDirectory_Cert.pem
SASL_SECPROPS maxssf = 0 |
- checked that ldapsearch can access the directory | Code: | | ldapsearch -x -H ldaps://dc01.domain.prv:3269 -D 'CN=LDAP Account,OU=Admin Accounts,DC=domain,DC=prv' -W |
which returns tons of active directory objects. So the server can talk to the AD controller perfectly via ldaps.
Apache refuses to contact the domain controller though - it is unfortunately not giving me much information when running in debug mode as well. Only error I'm getting is | Code: | | [warn] [client 10.xxx.xxx.xxx] [5973] auth_ldap authenticate: user user01 authentication failed; URI /svn/project [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] |
I've set up the following configs:
47_mod_dav_svn.conf:
| Code: | <IfDefine SVN>
<IfModule !mod_dav_svn.c>
LoadModule dav_svn_module modules/mod_dav_svn.so
</IfModule>
LDAPVerifyServerCert Off
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/ssl/ActiveDirectory_Cert.pem
<Location /svn/>
DAV svn
SVNParentPath /var/svn/repositories/
SVNListParentPath on
RedirectMatch ^(/svn)$ $1/
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthType Basic
order allow,deny
allow from all
AuthName "SVN Login"
AuthLDAPURL ldaps://dc01.domain.prv:3269/OU=EMEA,DC=domain,DC=prv?sAMAccountName?sub?(objectClass=user)
#AuthLDAPURL ldap://dc01.domain.prv:3268/OU=EMEA,DC=domain,DC=prv?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN svnadmin@domain.prv
AuthLDAPBindPassword hackme
Require ldap-group cn=svnusers,ou=Access_Groups,ou=xxx,ou=Germany,ou=EMEA,dc=domain,dc=prv
Require ldap-group cn=svnadmins,ou=Access_Groups,ou=xxx,ou=Germany,ou=EMEA,dc=domain,dc=prv
satisfy all
</Location>
Include /var/svn/httpd/*.conf
<IfDefine SVN_AUTHZ>
<IfModule !mod_authz_svn.c>
LoadModule authz_svn_module modules/mod_authz_svn.so
</IfModule>
</IfDefine>
</IfDefine>
|
00_default_vhost.conf:
| Code: | <IfDefine DEFAULT_VHOST>
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
ServerName svnserver
Include /etc/apache2/vhosts.d/default_vhost.include
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
</VirtualHost>
</IfDefine>
|
default_vhost.include:
| Code: | <Directory "/var/www/localhost/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"
</IfModule>
<Directory "/var/www/localhost/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
|
packages:
| Code: | www-servers/apache-2.2.10
net-nds/openldap-2.3.43
|
What am I missing? I'm pretty sure that there's some option or setting I'm missing... Any help would be greatly appreciated.
Thanks in advance!!
Last edited by tomblue on Wed Jul 29, 2009 7:19 am; edited 1 time in total |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Tue Jul 28, 2009 4:21 pm Post subject: |
|
|
you might change Apache's LogLevel to 'debug' and see if it doesn't give more information
I keep finding heaps of threads ranging from CN mismatch (which shouldnt affect you, as you've disabled verification), to bugs in gnutls
None of them seem to fit here, but in every case seemed raising the level of logging proved useful. |
|
| Back to top |
|
|
tomblue
n00b
Joined: 29 Jul 2008
Posts: 14
Location: Ilmenau / Germany
|
| Posted: Tue Jul 28, 2009 5:31 pm Post subject: getting Apache 2.2 to authenticate via secure ldap |
|
|
Hi,
I already set Apache to debug but had no success.... It writes quite heavily into the logfile. The LPAD part writes some more information too. That it is using server dc01.domain.prv on port 3269 and that it is using the filters set in the AuthLDAPURL, even that it is using SSL.
But when it comes to the crucial point it just says: "Can't contact LDAP server" and is done with it. No details regarding certificate issues or something.
Regards |
|
| Back to top |
|
|
malern
Apprentice
Joined: 19 Oct 2006
Posts: 170
|
| Posted: Tue Jul 28, 2009 6:49 pm Post subject: |
|
|
Are you sure this directive is correct?
| Code: | | AuthLDAPBindDN svnadmin@domain.prv |
I realise you've changed it for privacy reasons, but I would have expected a format more like
| Code: | | AuthLDAPBindDN CN=svnadmin,DC=domain,DC=prv |
At least that's the format I use with openldap, maybe it's different with Windows AD? |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Tue Jul 28, 2009 10:25 pm Post subject: |
|
|
| malern wrote: | Are you sure this directive is correct?
| Code: | | AuthLDAPBindDN svnadmin@domain.prv |
I realise you've changed it for privacy reasons, but I would have expected a format more like
| Code: | | AuthLDAPBindDN CN=svnadmin,DC=domain,DC=prv |
At least that's the format I use with openldap, maybe it's different with Windows AD? |
good catch
though, I will say that's the userPrincipalName in AD, and is in MS world the preferred auth format going forward, over DOMAIN\user.
possible, though |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Wed Jul 29, 2009 3:58 am Post subject: |
|
|
you know, the other thing you can do with hopes of seeing a more usable error....
strace apache, attempt the auth, and see if you don't get the full text of the error |
|
| Back to top |
|
|
tomblue
n00b
Joined: 29 Jul 2008
Posts: 14
Location: Ilmenau / Germany
|
| Posted: Wed Jul 29, 2009 7:19 am Post subject: |
|
|
The authentication works with either | Code: | | AuthLDAPBindDN svnadmin@domain.prv |
or | Code: | | AuthLDAPBindDN CN=svnadmin,DC=domain,DC=prv |
when using unencrypted ldap connection. I've tested it both ways. 
Ohhhh and another thing: I've got it working!!! Just updated to the latest stable version:
| Code: | app-admin/apache-tools-2.2.11
www-servers/apache-2.2.11-r2 |
Didn't even need to change my config. Update, restart, done! Must have been some glitch in the version I was running... Damn that has cost me some hours! 
Thanks cach0rr0 and malern for your replies!!
Cheers |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
