[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] debian 10, apache2.4 cannot get ldaps working
From: Nick Folino <nick () folino ! us>
Date: 2022-04-01 16:00:11
Message-ID: CAJnExnNgxofWhzaoM-Tpq=j1Gmj6GR6VU40pi=3ag=ZD4oPkFA () mail ! gmail ! com
[Download RAW message or body]
If it's all internal, try LDAPVerifyServerCert off.
On Fri, Apr 1, 2022 at 11:47 AM Jennifer Mead <jmead@tucows.com> wrote:
> I get a generic error "ldap_simple_bind() failed][Can't contact LDAP
> server]" when trying to connect to ldap server with "ldaps" for ldap
> authentication. This all worked well under regular ldap on port 389, but
> my requirement is to get it working with secure ldaps and port 636. First
> off I can run
>
> openssl s_client -connect server:636
>
> nc -z -v IP 636
>
>
> I can see a close wait connection on ncsd connected to the ldap server.
>
>
> I suspect this has to do with certificates and apache2? Not much
> documentation out there. Here are my relevant chunks:
>
>
> AuthType Basic
>
> AuthBasicProvider ldap file
>
> AuthName "GestioIP - Authentication against AD"
>
> LDAPTrustedClientCert CERT_BASE64
> /usr/local/share/cacertificates/tucows-root-ca-v2.crt
>
> AuthLDAPUrl
> "ldaps://x.x.x.x:636/DC=int,DC=tucows,DC=com?sAMAccountName?sub?(objectClass=*)"
>
> AuthLDAPBindDN "CN=SA-ADLookups,OU=Service
> Accounts,DC=int,DC=tucows,DC=com"
>
> AuthLDAPBindPassword "secret"
>
> AuthLDAPBindAuthoritative on
>
> Require ldap-user
>
>
> Some posts I tried to follow suggested I use module auth_ldap. However I
> cannot find that module to install and supposedly have another module that
> works instead? Horribly confused and wondering what is wrong? No one at
> my office can help either, just on my plate to figure out. With such a
> generic error, I don't know if the cert is failing or if the config is
> wrong or ???
>
>
> I am on debian 10, we are using this for a GestioIP install just to get
> users authenticated. Any help of any kind is greatly appreciated.
>
>
> Regards,
>
> Jen Mead
>
> jmead@tucowsinc.com
>
>
>
[Attachment #3 (text/html)]
<div dir="ltr">If it's all internal, try LDAPVerifyServerCert off.</div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 1, 2022 at 11:47 AM \
Jennifer Mead <<a href="mailto:jmead@tucows.com">jmead@tucows.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div><font face="tahoma, sans-serif">I get a generic error "<span \
style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">ldap_simple_bind() \
failed][Can't contact LDAP server]" when trying to connect to ldap server \
with "ldaps" for ldap authentication. This all worked well under regular \
ldap on port 389, but my requirement is to get it working with secure ldaps and port \
636. First off I can run </span></font></div><div><font face="tahoma, \
sans-serif"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><br></span></font></div><div>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">openssl s_client -connect \
server:636</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)">
</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue"">nc -z -v IP 636</p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue""><br></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue"">I can see a close wait connection on ncsd connected to the ldap \
server.</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue""><br></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue"">I suspect this has to do with certificates and apache2? Not much \
documentation out there. Here are my relevant chunks:</p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue""><br></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthType Basic</span></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthBasicProvider ldap \
file</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica \
Neue"">
</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthName "GestioIP - \
Authentication against AD"</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">
</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:no \
rmal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">LDAPTrustedClientCert CERT_BASE64 \
/usr/local/share/cacertificates/tucows-root-ca-v2.crt</span></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthLDAPUrl \
"ldaps://x.x.x.x:636/DC=int,DC=tucows,DC=com?sAMAccountName?sub?(objectClass=*)"</span></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthLDAPBindDN \
"CN=SA-ADLookups,OU=Service Accounts,DC=int,DC=tucows,DC=com"</span></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthLDAPBindPassword \
"secret"</span></p><p \
style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">AuthLDAPBindAuthoritative \
on</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian: \
normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">
</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:no \
rmal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">Require ldap-user</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><br></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">Some posts I tried to follow \
suggested I use module auth_ldap. However I cannot find that module to install and \
supposedly have another module that works instead? Horribly confused and wondering \
what is wrong? No one at my office can help either, just on my plate to figure out. \
With such a generic error, I don't know if the cert is failing or if the config \
is wrong or ???</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><br></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">I am on debian 10, we are using \
this for a GestioIP install just to get users authenticated. Any help of any kind \
is greatly appreciated.</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><br></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">Regards,</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures">Jen Mead</span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"><a \
href="mailto:jmead@tucowsinc.com" \
target="_blank">jmead@tucowsinc.com</a></span></p><p \
style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span \
style="font-variant-ligatures:no-common-ligatures"> </span></p></div>
</div>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic