Apache :: Apache 2.2.6 LDAP: CA certificates cannot be set using this

RSchone · Joined: 06 Dec 2007 Posts: 4

I am new to the Apache and have the following question. I have the following configuration.

Apache 2.2.6
Windows 2003 Server (Testing on Windows XP)
Trying to require login to various directories using LDAP.

httpd.conf
.....
LoadModule ssl_module modules/mod_ssl.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<Directory "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\webDocs">
AuthType basic
AuthBasicProvider ldap
AuthName "REALM REALM REALM"
AuthLDAPURL https://my.domain.com:636/?uid?sub?(objectClass=*)
AuthLDAPBindDN cn=xxx,o=yyyy
AUthLDAPBindPassword theRealLongPassword
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserIsDN on
require valid-user
</Directory>

I am receiving the following error in the error logn file.

debug] mod_authnz_ldap.c(972): LDAP: auth_ldap using SSL connections
[Wed Dec 05 15:19:01 2007] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[Wed Dec 05 15:19:01 2007] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.
[Wed Dec 05 15:19:01 2007] [notice] Child 1884: Child process is running
[Wed Dec 05 15:19:01 2007] [info] Parent: Duplicating socket 188 and sending it to child process 1884
[Wed Dec 05 15:19:01 2007] [debug] mpm_winnt.c(408): Child 1884: Retrieved our scoreboard from the parent.
[Wed Dec 05 15:19:01 2007] [debug] mpm_winnt.c(605): Parent: Sent 1 listeners to child 1884
[Wed Dec 05 15:19:01 2007] [debug] mpm_winnt.c(564): Child 1884: retrieved 1 listeners from parent
[Wed Dec 05 15:19:01 2007] [notice] Child 1884: Acquired the start mutex.
[Wed Dec 05 15:19:01 2007] [notice] Child 1884: Starting 250 worker threads.
[Wed Dec 05 15:19:01 2007] [notice] Child 1884: Starting thread to listen on port 80.
[Wed Dec 05 15:19:09 2007] [debug] mod_authnz_ldap.c(376): [client 127.0.0.1] [1884] auth_ldap authenticate: using URL ldaps://my.domain.com:636/?uid?sub?(objectClass=*)
[Wed Dec 05 15:19:10 2007] [warn] [client 127.0.0.1] [1884] auth_ldap authenticate: user u0306158 authentication failed; URI /webDocs [LDAP: ldap_simple_bind_s() failed][Unavailable]

Any suggestions? Where do I put the Cert?

JohnHemming · Joined: 08 Dec 2007 Posts: 1

Hi,
I have almost the same problem.
My Apache (2.2.6) is running on a Windows 2000 Server and tries to connect to a 2003 AD.
But I get different error Messages depending on the LDAP URL I'm using.

With
1. "ldap://my.ad.server" it works fine
2. "ldap://my.ad.server:636" I get "[LDAP: ldap_simple_bind_s() failed][Unavailable]"
3. "ldaps://my.ad.server[:636]" results in "[LDAP: an attempt to set LDAP_OPT_SSL on failed.][Parameterfehler]"

The log is looking the same as yours, even the "SSL support unavailable" Message, which I think is my problem too.

I imported the root certificate of the AD into the local machine, but made no difference.

As I could not find a working solution, maybe this helps to create one.

Edit:
I tried the same configuration on a Windows XP System. And somehow it works... I still recieve the "SSL Support unavailable" Message, but it seems not to matter.
In conclusion, in my opinion it is a windows 2000 problem...

RSchone · Joined: 06 Dec 2007 Posts: 4

I am running Apache 2.2.4 on Windows XP with the following configuration in my httpd.conf file.

LoadModule ssl_module modules/mod_ssl.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<Directory "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\webDocs">
AuthType basic
AuthBasicProvider ldap
AuthName "REALM"
AuthLDAPURL ldaps://server.med.utah.edu:636/?uid?sub?(objectClass=*)
AuthLDAPBindDN cn=User,ou=Admin,o=UHSC
AUthLDAPBindPassword MyPassword
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserIsDN off
require valid-user
</Directory>

When I startup my server I receive the following message in the log files.

[debug] mod_authnz_ldap.c(876): [5476] auth_ldap url parse: `ldaps://dslx1.med.utah.edu:636/?uid?sub?(objectClass=*)'
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(885): [5476] auth_ldap url parse: Host: server.med.utah.edu:636
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(887): [5476] auth_ldap url parse: Port: 636
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(889): [5476] auth_ldap url parse: DN:
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(891): [5476] auth_ldap url parse: attrib: uid
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(893): [5476] auth_ldap url parse: scope: subtree
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(898): [5476] auth_ldap url parse: filter: (objectClass=*)
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(972): LDAP: auth_ldap using SSL connections
[Wed Dec 19 15:50:48 2007] [info] Init: Seeding PRNG with 144 bytes of entropy
[Wed Dec 19 15:50:48 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Dec 19 15:50:48 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Dec 19 15:50:48 2007] [info] Init: Initializing (virtual) servers for SSL
[Wed Dec 19 15:50:48 2007] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Wed Dec 19 15:50:48 2007] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[Wed Dec 19 15:50:48 2007] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.

When I try to login to the directory, I receive the following error message in the log file.

URI /webDocs [LDAP: ldap_simple_bind_s() failed][Server Down]

I am using authnz_ldap_module dated December 1, 2007 and ldap_module dated December 1, 2007. I retrived the updates from
http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip

Any suggestions on why this is not working?