Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache + LDAPS Woes... |
|
Author |
|
pcm2a
Joined: 24 Nov 2011 Posts: 3
|
Posted: Thu 24 Nov '11 18:40 Post subject: Apache + LDAPS Woes... |
|
|
I am trying to get ldaps to work with Apache 2.2 on Server 2008 x64.
Here is my configuration:
Code: | LDAPVerifyServerCert Off
AuthLDAPBindDN “CN=corpsvcatlas,OU=Service Accounts,OU=u00958,OU=00958,DC=hca,DC=corpad,DC=net”
AuthLDAPBindPassword ..removed..
AuthLDAPURL “ldaps://gc-hca.corpad.net:3269/dc=hca,dc=corpad,dc=net?sAMAccountName?sub”
AuthType Basic
AuthName “USE YOUR WINDOWS ACCOUNT”
AuthBasicProvider ldap
AuthUserFile /dev/null
require valid-user |
Two important things to note here:
Note 1: If I use ldap plain text (port 3268) this configuration works
Note 2: If I use LDAP Browser I can connect via ldaps on port 3269 without any issues. There is no ldap server problem.
This is the error coming back in the apache logs:
Code: | [3016] auth_ldap authenticate: user eqb9718 authentication failed; URI /git/Liferay.git/info/refs [LDAP: ldap_simple_bind_s() failed][Server Down] |
What is that error telling me, since we know that the server is not down? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
pcm2a
Joined: 24 Nov 2011 Posts: 3
|
Posted: Thu 24 Nov '11 23:07 Post subject: |
|
|
The other post is someone having trouble with their keys/certificates. You can see that I am using "LDAPVerifyServerCert Off" so I won't have this problem. I am also getting a different error than him. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Fri 25 Nov '11 10:32 Post subject: |
|
|
Things I missed.
In whindows a file /dev/null does not exist. If you realy need that you should use C:/nul, but I doubt that. Why a AuthUserFile when you want to auth against LDAP?
Quote: |
[3016] auth_ldap authenticate: user eqb9718 authentication failed; URI /git/Liferay.git/info/refs [LDAP: ldap_simple_bind_s() failed][Server Down]
|
If the bind step fails then there is something wrong with the AuthLDAPBindDN, the AuthLDAPBindPassword or the AuthLDAPURL.
First thing you should try is not to bind using the full DN but instead use the user@domain syntax
If the bind works but something goes wrong with the query, the error is probably caused by a fault AuthLDAPURL and will look something like:
Quote: |
auth_ldap authenticate: user John Doe authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
|
change the require to something like
Code: |
# specific user
# Require ldap-user "john.doe"
# specific user by DN
# Require ldap-dn CN=John Doe,OU=Finance,OU=Germany,DC=example,DC=com
# member of group
# Require ldap-group CN=Finance Department,OU=Finance,OU=Germany,DC=example,DC=com
|
To search for a user, do a subtree search for the attribute userPrincipalName, with an empty search root, like so:
Code: |
AuthLDAPBindDN apache@example.com
AuthLDAPBindPassword password
AuthLDAPURL ldaps://10.0.0.1:3269/?userPrincipalName?sub
|
|
|
Back to top |
|
pcm2a
Joined: 24 Nov 2011 Posts: 3
|
Posted: Sat 26 Nov '11 3:59 Post subject: |
|
|
I will give that a shot and report back. Just to double verify did you read my bolded line where I say "Note 1: If I use ldap plain text (port 3268) this configuration works".
You think that with plain text my BindDN would work great but fail with that error in SSL? Seems odd. Across a dozen applications I've only ever used a fully qualified DN. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
|
|
|
|
|