| Author |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
 Posted: Wed 13 Mar '13 18:32 Post subject: Is the Microsoft LDAP SDK the only option? |
 |
|
I am having a problem with secure LDAP authentication using the 2.4.4 Windows binaries downloaded from this site.
It authenticates successfully with insecure LDAP, but not secured LDAP. Browsing through this forum I see it is a common problem under Windows so I was wondering if other SDKs could be used instead of the Microsoft one to build it?
The AuthLDAPURL looks like this: ldap://ourserver:389/ou=ourcontext,o=ourtree?uid?sub?(objectClass=inetOrgPerson)
Changing ldap to ldaps as well as the port results in the following Apache error:
AH01695: auth_ldap authenticate: user myusername authentication failed; URI /Software [LDAP: ldap_simple_bind() failed][Unavailable] |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
|
| Back to top |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
| Posted: Thu 14 Mar '13 16:58 Post subject: |
|
|
I have our Terena CA chain certificates added via the MMC snap-in under 'Trusted Root Certification Authorities' and the server's certificate in the 'Personal' store as documented here: http://support.microsoft.com/kb/321051
I do not get the 'CA certificates cannot be set using this method, as they are stored in the registry instead' message in the error log with debugging enabled. Just in case I tried the patched mod_ldap.so from that post and it does not affect the error I receive. I still suspect it's closely related to that problem though as I did previously get that message when I was using Apache 2.2.
I have 'LDAPVerifyServerCert Off' and 'LDAPTrustedMode SSL' in the top-level httpd.conf. The rest is in a .htaccess file:
| Code: | RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
SSLRequireSSL
AuthName "LDAP login"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPDereferenceAliases never
AuthLDAPURL "ldaps://ourserver:636/ou=ourcontext?uid?sub?(objectClass=inetOrgPerson)"
AuthLDAPBindDN "cn=ourproxyuser"
AuthLDAPBindPassword "password"
Require ldap-user myldapusername
Options +Indexes |
|
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 59
|
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 59
|
| Posted: Thu 14 Mar '13 17:35 Post subject: |
|
|
| and of course, error log with LogLevel debug or TRACE8 |
|
| Back to top |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
| Posted: Thu 14 Mar '13 18:44 Post subject: |
|
|
Thanks for the trace utility tip, I've managed to get a mass of further debug output. It looks like it comes down to this after it has successfully connected to the LDAP server:
LdapConnect failed to open connection 0xf10858, error = 0x80090325
A quick web search (http://social.msdn.microsoft.com/Forums/en-US/vcgeneral/thread/7e8466b0-136d-4a04-a8a6-0389fd4ce8e1) implies it may not be finding the certificates I previously imported. I've checked and all of the required certificate chain is present in 'Trusted Root Certification Authorities'. That is the right place for them isn't it? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
| Posted: Fri 15 Mar '13 11:34 Post subject: |
|
|
If I comment out 'LDAPVerifyServerCert Off' and add 'LDAPTrustedGlobalCert CA_BASE64 /path/to/our/CA/cert/chain' I still get the same error, and the 'CA certificates cannot be set using this method, as they are stored in the registry instead' is back.
I tried with the patch mod_ldap.so as well and it makes no difference. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 18 Mar '13 16:19 Post subject: |
|
|
| I thought about keeping LDAPVerifyServerCert Off while adding LDAPTrustedGlobalCert |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 18 Mar '13 16:23 Post subject: |
|
|
Since the topic says: "Is the Microsoft LDAP SDK the only option?"
OpenLDAP SDK,Novell LDAP SDK and Mozilla LDAP SDK should be possible, too |
|
| Back to top |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
| Posted: Mon 18 Mar '13 17:06 Post subject: |
|
|
I've been trying various versions of LDAPVerifyServerCert and LDAPTrustedGlobalCert settings and cannot make any progress. When the global cert is set I always get 'CA certificates cannot be set using this method, as they are stored in the registry instead'.
Using the certificates MMC snap-in I've tried adding the certificates again, including via the physical store which allows 'Registry' certificate additions. None of it makes a difference to the traced log output error = 0x80090325 when establishing a secure connection to the LDAP server.
I am interested in trying a different LDAP SDK to bypass this particular issue. Many years ago I had some experience using the Netscape and Novell SDKs. As I have Visual Studio 2010 how difficult is it to build from source? I had a quick go last week but the projects would not open in Visual Studio without errors. |
|
| Back to top |
|
mattross
Joined: 13 Mar 2013
Posts: 6
|
| Posted: Tue 19 Mar '13 15:16 Post subject: |
|
|
I decided to start again and deleted all the configuration and certificates. This time it works. Not sure what was wrong in my configuration, but I now have ldaps working as I had hoped.
Thanks for your help. |
|
| Back to top |
|
lakshmi
Joined: 22 Jul 2014
Posts: 9
Location: India
|
| Posted: Mon 28 Jul '14 13:06 Post subject: Apache 2.2 LDAPS, is it working? |
|
|
Hi mattross,
In your comment, you said that, "I decided to start again and deleted all the configuration and certificates. This time it works."
Could you please elaborate me what configurations have you deleted? and now what is your configuration?
Please let me, since i want to configure my Apache to work with LDAPS.
Thanks,
Lakshmi |
|
| Back to top |
|
