logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache + LDAPS Woes...
Author
pcm2a



Joined: 24 Nov 2011
Posts: 3

PostPosted: Thu 24 Nov '11 18:40    Post subject: Apache + LDAPS Woes... Reply with quote

I am trying to get ldaps to work with Apache 2.2 on Server 2008 x64.

Here is my configuration:
Code:
LDAPVerifyServerCert Off
AuthLDAPBindDN “CN=corpsvcatlas,OU=Service Accounts,OU=u00958,OU=00958,DC=hca,DC=corpad,DC=net”
AuthLDAPBindPassword ..removed..
AuthLDAPURL “ldaps://gc-hca.corpad.net:3269/dc=hca,dc=corpad,dc=net?sAMAccountName?sub”
AuthType Basic
AuthName “USE YOUR WINDOWS ACCOUNT”
AuthBasicProvider ldap
AuthUserFile /dev/null
require valid-user

Two important things to note here:
Note 1: If I use ldap plain text (port 3268) this configuration works
Note 2: If I use LDAP Browser I can connect via ldaps on port 3269 without any issues. There is no ldap server problem.


This is the error coming back in the apache logs:
Code:
[3016] auth_ldap authenticate: user eqb9718 authentication failed; URI /git/Liferay.git/info/refs [LDAP: ldap_simple_bind_s() failed][Server Down]

What is that error telling me, since we know that the server is not down?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 24 Nov '11 20:36    Post subject: Reply with quote

You may checkout http://www.apachelounge.com/viewtopic.php?t=3547

If that doesn't help please post again.
Back to top
pcm2a



Joined: 24 Nov 2011
Posts: 3

PostPosted: Thu 24 Nov '11 23:07    Post subject: Reply with quote

The other post is someone having trouble with their keys/certificates. You can see that I am using "LDAPVerifyServerCert Off" so I won't have this problem. I am also getting a different error than him.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 25 Nov '11 10:32    Post subject: Reply with quote

Things I missed.

In whindows a file /dev/null does not exist. If you realy need that you should use C:/nul, but I doubt that. Why a AuthUserFile when you want to auth against LDAP?


Quote:

[3016] auth_ldap authenticate: user eqb9718 authentication failed; URI /git/Liferay.git/info/refs [LDAP: ldap_simple_bind_s() failed][Server Down]


If the bind step fails then there is something wrong with the AuthLDAPBindDN, the AuthLDAPBindPassword or the AuthLDAPURL.


First thing you should try is not to bind using the full DN but instead use the user@domain syntax
Code:

AuthLDAPBindDN user@domain.com


If the bind works but something goes wrong with the query, the error is probably caused by a fault AuthLDAPURL and will look something like:
Quote:

auth_ldap authenticate: user John Doe authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]


change the require to something like
Code:

# specific user
#   Require ldap-user "john.doe"
# specific user by DN
#   Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
# member of group
#   Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com



To search for a user, do a subtree search for the attribute userPrincipalName, with an empty search root, like so:
Code:

AuthLDAPBindDN apache@example.com
AuthLDAPBindPassword password
AuthLDAPURL ldaps://10.0.0.1:3269/?userPrincipalName?sub
Back to top
pcm2a



Joined: 24 Nov 2011
Posts: 3

PostPosted: Sat 26 Nov '11 3:59    Post subject: Reply with quote

I will give that a shot and report back. Just to double verify did you read my bolded line where I say "Note 1: If I use ldap plain text (port 3268) this configuration works".

You think that with plain text my BindDN would work great but fail with that error in SSL? Seems odd. Across a dozen applications I've only ever used a fully qualified DN.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 10 Jan '12 17:55    Post subject: Reply with quote

You might take a look at http://www.apachelounge.com/viewtopic.php?p=7884
Back to top


Reply to topic   Topic: Apache + LDAPS Woes... View previous topic :: View next topic
Post new topic   Forum Index -> Apache