[users@httpd] httpd <---> ldaps

Wed, 04 May 2011 20:25:03 -0700 




Greetings.

I haven't had to administer Apache for about 6 or 7 years now, but recently 
jumped back into it to setup a subversion repository for developers.  I'm 
working on setting up subversion on Apache (Linux) to authenticate via ldaps to 
an Active Directory domain controller.  Front end subversion client accesses 
Apache successfully via https.  However, I cannot get Apache to talk ldaps 
while verifying the certs.  I've been banging my head against this thing for 
weeks now, and am beyond frustrated.  I've read & researched to no end - 
scoured the Internet - found others with a similar issue, but no fix yet.  Any 
help anyone could provide would be greatly appreciated.

Sincerely,
Dave

RHEL5.3 x86_64

RPMs:

httpd-2.2.3-45

mod_ssl-2.2.3-45

openssl-0.9.8e-12

openldap-2.3.43-12

subversion-1.6.11-7

mod_dav_svn-1.6.11-7



Active Directory - Windows Server 2003


Was already in httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

Added to ssl.conf:
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem
SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem
SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire

The following httpd.conf configuration works for authenticating via ldaps 
without verifying the certificates:

##############################
# Subversion config

LDAPVerifyServerCert off

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL 
"ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
 SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################


However, changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlobalCert 
pointing to CA cert (shown below) to verify the certificates gives me a 500 
error in the subversion client (Tortoise), and the below error in 
ssl_error_log.  I also tried adding a second LDAPTrustedGlobalCert pointing to 
apache_server cert, to no avail.

httpd.conf:


##############################

# Subversion config


LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem   
#####  Tried with and without this line
LDAPVerifyServerCert on

<Location /repos>
    DAV svn
    SVNPath /opt/local/svn/repos
        SSLRequireSSL

    Order deny,allow
    Deny from All
    AuthName "Subversion Repository"
    AuthType Basic
    AuthBasicProvider ldap
    Satisfy any
    Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com
    AuthLDAPURL 
"ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
 SSL
    AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com"
    AuthLDAPBindPassword "password"

</Location>

CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

##############################

ssl_error_log:
[Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap 
authenticate: user subversion_test authentication failed; URI /repos [LDAP: 
ldap_simple_bind_s() failed][Can't contact LDAP server]

I run "openssl s_client -CApath /etc/pki/CA/ -connect 
domain_controller.domain.com:636" and receive "Verify return code:  0 (ok)", so 
it appears the SSL handshake is fine outside of Apache:

CONNECTED(00000003)
depth=1 /DC=com/DC=domain/CN=domain_controller
verify return:1
depth=0 /C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
   i:/DC=com/DC=domain/CN=domain_controller
---
Server certificate
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com
issuer=/DC=com/DC=domain/CN=domain_controller
---
Acceptable client certificate CA names
/DC=com/DC=domain/CN=DOMAIN                  ##### <--- not sure why its 
returning CN=DOMAIN and not CN=domain_controller
...                                                                  ##### <--- 
the rest are standard CAs (Verisign, etc)
...
...
---
SSL handshake has read 4776 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1                                      ##### <--- also not 
sure why its stating TLSv1 protocol instead of SSL.
    Cipher    : RC4-MD5
    Session-ID: .........................................
    Session-ID-ctx:
    Master-Key: .........................................
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1304534983
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

read:errno=0

                                          













    











					Reply via email to