[Auth_ldap] Getting SSL to work
chpr at mail.rochester.edu
Thu Nov 20 15:42:11 PST 2003
Once I got STunnel installed, it worked like a charm. My auth_ldap
sessions are now using SSL to the SunONE (iPlanet) Directory server using
My attempts to build auth_ldap with the SunONE (iPlanet) 5.1 SDK were
Not elegant, but it works. Thanks again for your help. Is auth_ldap
still being developed at all?
On Tue, 18 Nov 2003, Ken Bell wrote:
> Hi Guys
> There may be an easier way....
> We ran into this problem on several Web servers with Apache 1.3 and now
> every Apache 2.0 install.
> There is a very simple solution which our global fortune 500 company has
> used with success. iPlanet is our backend LDAP server.
> STunnel is an opensource product that will capture traffic, encrypt and
> forward to where ever you want on whatever port you want. If you capture
> your LDAP traffic on your Apache server on port 389 and forward it to
> iPlanet LDAP server on port 636, iPlanet does not know the difference and
> doesn't care. You need to do NOTHING on your iPlanet server if it accepts
> This is NOT rocket science and you can test it in about an hour.
> - Download and install STunnel
> - Make minor changes to the STunnel config file to point from localhost to
> your current ldap server on 636
> - Test with a query tool against 127.0.0.1 that traffic is being tunnelled
> and that the server responds.
> - Change your httpd.conf to point at 127.0.0.1:389 for your LDAP server.
> - HUP and go
> I have install/configs for windows 2k, if you need it.
> More details:
> 1) On your webserver download and install STunnel (there is a windows
> version, too):
> http://www.stunnel.org/download/ If you have a linux box, ./configure &&
> make && make install (as root)
> 2) Setup the config file for STunnel:
> /usr/local/etc/stunnel/stunnel.conf (by default) add the following:
> chroot = /usr/local/etc/stunnel/
> pid = /stunnel.pid
> setuid = root
> setgid = root
> ##Note we don't do CA stuff as it will verify certs... not a good idea for
> our environment
> # Can leave in foreground to see exchange
> foreground = no
> # Use debug if you have problems
> # debug =7
> ##Useful if you want to log
> #output = /var/log/stunnel.log
> # Use it for client mode
> client = yes
> accept = 127.0.0.1:389
> connect = ldap.company.com:636
> accept = 127.0.0.1:390
> connect = ldap2.company.com:636
> 3) Test by starting up STunnel on the server. Open an LDAP query tool.
> Change the LDAP server to point at 127.0.0.1:389 Query and test for results.
> 4) Change your Auth LDAP configuration to use the server 127.0.0.1:389. If
> you need a second for failover, use 127.0.0.1:390 if you configured as
> We used this in a production environment for over a year for LDAPS with our
> Radius server which gets hit many, many thousands of times / week.
> Hope this helps.
> Ken Bell CISSP, CISA
> Schlumberger Limited
> Information Security
> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org]On Behalf Of Christina Plummer
> Sent: Tuesday, November 18, 2003 7:55 AM
> To: Dave Carrigan
> Cc: auth_ldap at rudedog.org
> Subject: Re: [Auth_ldap] Getting SSL to work
> I did that, actually, and only found a bunch of these:
> [17/Nov/2003:15:32:51 -0500] conn=115344 fd=50 slot=50 SSL connection from
> XX.XX.XX.XX to YY.YY.YY.YY
> [17/Nov/2003:15:32:51 -0500] conn=115344 op=-1 fd=50 closed - B1
> The next thing I am going to try is recompiling with the SunONE
> ldapcsdk5.1 (since we are running the SunONE directory server now --
> auth_ldap was originally compiled back when we were using OpenLDAP).
> On Mon, 17 Nov 2003, Dave Carrigan wrote:
> > On Mon, Nov 17, 2003 at 05:04:46PM -0500, Christina Plummer wrote:
> > >
> > > I searched through the list archives and found a number of similar
> > > problems, but none with solutions that work for me.
> > Check the LDAP server logs to see if there's anything there that might
> > contain a hint as to why it's not letting auth_ldap connect.
> > --
> > Dave Carrigan
> > Seattle, WA, USA
> > dave at rudedog.org | http://www.rudedog.org/ | ICQ:161669680
> > UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
> > Dave is currently listening to Cracker - Loser (Kerosene Hat)
> Auth_ldap mailing list
> Auth_ldap at rudedog.org
More information about the Auth_ldap