[Auth_ldap] Getting SSL to work

Thu Nov 20 15:42:11 PST 2003

Thanks, Ken!

Once I got STunnel installed, it worked like a charm.  My auth_ldap
sessions are now using SSL to the SunONE (iPlanet) Directory server using
STunnel.

My attempts to build auth_ldap with the SunONE (iPlanet) 5.1 SDK were
unsuccessful.

Not elegant, but it works.  Thanks again for your help.  Is auth_ldap
still being developed at all?

  -- Christina

On Tue, 18 Nov 2003, Ken Bell wrote:

> Hi Guys
>
> There may be an easier way....
>
> We ran into this problem on several Web servers with Apache 1.3 and now
> every Apache 2.0 install.
>
> There is a very simple solution which our global fortune 500 company has
> used with success. iPlanet is our backend LDAP server.
>
> STunnel is an opensource product that will capture traffic, encrypt and
> forward to where ever you want on whatever port you want. If you capture
> your LDAP traffic on your Apache server on port 389 and forward it to
> iPlanet LDAP server on port 636, iPlanet does not know the difference and
> doesn't care. You need to do NOTHING on your iPlanet server if it accepts
> LDAPS.
>
> This is NOT rocket science and you can test it in about an hour.
>
> Overview:
>  - Download and install STunnel
>  - Make minor changes to the STunnel config file to point from localhost to
> your current ldap server on 636
>  - Test with a query tool against 127.0.0.1 that traffic is being tunnelled
> and that the server responds.
>  - Change your httpd.conf to point at 127.0.0.1:389 for your LDAP server.
>  - HUP and go
>
> I have install/configs for windows 2k, if you need it.
>
> More details:
>
>  1) On your webserver download and install STunnel (there is a windows
> version, too):
> http://www.stunnel.org/download/ If you have a linux box, ./configure &&
> make && make install (as root)
>
>  2) Setup the config file for STunnel:
> /usr/local/etc/stunnel/stunnel.conf (by default) add the following:
>
> chroot = /usr/local/etc/stunnel/
> pid = /stunnel.pid
> setuid = root
> setgid = root
>
> ##Note we don't do CA stuff as it will verify certs... not a good idea for
> our environment
>
> # Can leave in foreground to see exchange
> foreground = no
>
> # Use debug if you have problems
> # debug =7
>
> ##Useful if you want to log
> #output = /var/log/stunnel.log
>
> # Use it for client mode
> client = yes
>
> [ldap]
> accept = 127.0.0.1:389
> connect = ldap.company.com:636
>
> [ldap2]
> accept = 127.0.0.1:390
> connect = ldap2.company.com:636
>
>  3) Test by starting up STunnel on the server. Open an LDAP query tool.
> Change the LDAP server to point at 127.0.0.1:389 Query and test for results.
>
>  4) Change your Auth LDAP configuration to use the server 127.0.0.1:389. If
> you need a second for failover, use 127.0.0.1:390 if you configured as
> above.
>
> We used this in a production environment for over a year for LDAPS with our
> Radius server which gets hit many, many thousands of times / week.
>
> Hope this helps.
>
> Ken Bell CISSP, CISA
> Schlumberger Limited
> Information Security
>
>
> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org]On Behalf Of Christina Plummer
> Sent: Tuesday, November 18, 2003 7:55 AM
> To: Dave Carrigan
> Cc: auth_ldap at rudedog.org
> Subject: Re: [Auth_ldap] Getting SSL to work
>
>
>
> I did that, actually, and only found a bunch of these:
>
> [17/Nov/2003:15:32:51 -0500] conn=115344 fd=50 slot=50 SSL connection from
> XX.XX.XX.XX to YY.YY.YY.YY
> [17/Nov/2003:15:32:51 -0500] conn=115344 op=-1 fd=50 closed - B1
>
> The next thing I am going to try is recompiling with the SunONE
> ldapcsdk5.1 (since we are running the SunONE directory server now --
> auth_ldap was originally compiled back when we were using OpenLDAP).
>
> Thanks,
>
>   Christina
>
> On Mon, 17 Nov 2003, Dave Carrigan wrote:
>
> > On Mon, Nov 17, 2003 at 05:04:46PM -0500, Christina Plummer wrote:
> > >
> > > I searched through the list archives and found a number of similar
> > > problems, but none with solutions that work for me.
> >
> > Check the LDAP server logs to see if there's anything there that might
> > contain a hint as to why it's not letting auth_ldap connect.
> >
> > --
> > Dave Carrigan
> > Seattle, WA, USA
> > dave at rudedog.org | http://www.rudedog.org/ | ICQ:161669680
> > UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
> >
> > Dave is currently listening to Cracker - Loser (Kerosene Hat)
> >
> _______________________________________________
> Auth_ldap mailing list
> Auth_ldap at rudedog.org
> http://www.rudedog.org/mailman/listinfo/auth_ldap
>