[Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Aaron Smith
Aaron.Smith at kzoo.edu
Tue Oct 17 08:06:44 PDT 2006
Ok. I finally got this to work. Here's what I did:
1.) Installed auth_ldap version 1.6.1. This version apparently contains the changes that allow for auth_ldap to use ldaps:// with OpenLDap/OpenSSL.
2.) Installed the CORRECT CA certificate. I went into the "Certificates" MMC on the domain controller, found it's server certificate, then exported the CA certificate that the MMC listed in the chain to make 100% sure it was the correct one.
3.) Modified the AuthLDAPUrl to replace ALL commas with "%2c":
AuthLDAPURL ldaps://dc.controller.edu:3269/dc=domain%2cdc=school%2cdc=edu?sAMAccountName?sub?(objectClass=*)
The third step was the kicker.
--
-----Original Message-----
From: Emmanuel SCIEUR [mailto:Emmanuel.SCIEUR at eseo.fr]
Sent: Monday, October 16, 2006 3:45 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Is this working without ssl ?
Try ldap://your server:3268....
If this work fine then look for a ldap.conf in the configuration path of apache and if one exist be sure it's the same as /etc/ldap/ldap.conf
-------------------------------------------
Emmanuel SCIEUR - Administrateur Systèmes
ESEO
4, rue Merlet de la Boulaye
BP30926 - 49009 Angers Cedex 1 - FRANCE
Email: emmanuel.scieur at eseo.fr
Tél. +33 (0)2 41 86 67 85
-------------------------------------------
-----Message d'origine-----
De : auth_ldap-bounces at rudedog.org [mailto:auth_ldap-bounces at rudedog.org] De la part de Aaron Smith
Envoyé : vendredi 13 octobre 2006 15:08
À : auth_ldap at rudedog.org
Objet : Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Ok, I've actually managed to eliminate (I believe) the certificates as a problem. Turns out I was testing with the wrong version of ldapsearch. There's the openldap one, and there's another one that's part of the default Solaris 10 install. If I use the openldap ldapsearch and connect to ldaps://n1-wrath.sandbox.com:3269, it works fine. I'm wondering, though, if perhaps I didn't apply the patch that allows auth_ldap with OpenLdap to connect to ldaps:// URI's correctly. Patch wouldn't work properly so I hand edited the code to make the additions. I might have fat fingered something I suppose. I'll go back and look at that.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: Emmanuel SCIEUR [mailto:Emmanuel.SCIEUR at eseo.fr]
Sent: Friday, October 13, 2006 1:57 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
In apache ssl.conf or any else apache conf you must have :
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
LDAPTrustedCA /etc/cert/ssl/ssl.crt/your.crt # the AD CA
LDAPTrustedCAType BASE64_FILE # the type of certificate
SSLPassPhraseDialog builtin # this is for the pass phrase gathering process.
-------------------------------------------
Emmanuel SCIEUR - Administrateur Systèmes
ESEO
4, rue Merlet de la Boulaye
BP30926 - 49009 Angers Cedex 1 - FRANCE
Email: emmanuel.scieur at eseo.fr
Tél. +33 (0)2 41 86 67 85
-------------------------------------------
-----Message d'origine-----
De : auth_ldap-bounces at rudedog.org [mailto:auth_ldap-bounces at rudedog.org] De la part de Aaron Smith
Envoyé : jeudi 12 octobre 2006 17:20
À : auth_ldap at rudedog.org
Objet : Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Openssl s_client works as long as I specifically tell it what CA cert to use by passing it the -CAfile /yourCAFile. If I leave off the -CAFile option, it fails saying it can't find a local issuer (i.e. CA) certificate. The "File not Found" error is in the Apache error_log:
Could not connect to LDAP server: No such file or directory
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: Emmanuel SCIEUR [mailto:Emmanuel.SCIEUR at eseo.fr]
Sent: Thursday, October 12, 2006 11:16 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Is the openssl s_client ok ?
Openssl s_client -connect n1-wrath.sandbox.com:3269 -CAfile /yourCAFILE
The "File not Found" error is in your web brother or in a log file ?
-------------------------------------------
Emmanuel SCIEUR - Administrateur Systèmes
ESEO
4, rue Merlet de la Boulaye
BP30926 - 49009 Angers Cedex 1 - FRANCE
Email: emmanuel.scieur at eseo.fr
Tél. +33 (0)2 41 86 67 85
-------------------------------------------
-----Message d'origine-----
De : auth_ldap-bounces at rudedog.org [mailto:auth_ldap-bounces at rudedog.org] De la part de Aaron Smith
Envoyé : jeudi 12 octobre 2006 16:58
À : auth_ldap at rudedog.org
Objet : Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Well, I discovered that I actually had the wrong CA cert. So I've put the correct CA cert in what APPEARS to be the correct directory according to openssl.cnf (/etc/sfw/openssl/certs) and pointed the TLS_CACERT setting in ldap.conf to this correct file, but I still get the "File not Found" error. My apache config is thus:
AuthType Basic
AuthName "Orwell Web Server"
AuthLDAPAuthoritative on
AuthLDAPBindDN "cn=Aaron Smith,cn=Users,dc=sandbox,dc=com"
AuthLDAPBindPassword <password removed>
#AuthLDAPStartTLS on
AuthLDAPURL ldaps://n1-wrath.sandobx.com:3269/dc=sandbox,dc=com?sAMAccountName?sub?(objectClass=*)
I have applied Andrew McAllister's patch to use SSL with Openldap. I've also tried uncommenting the StartTLS directive and changing ldaps to ldap in the LDAPURL but get the same error. Maybe I'm just not familiar with where this certificate file needs to go?
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: Emmanuel SCIEUR [mailto:Emmanuel.SCIEUR at eseo.fr]
Sent: Thursday, October 12, 2006 2:03 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
The certificate define in TLS_CACERT must be the certificate of you Active Directory domain.
You must install an CA on your LDAP.
-------------------------------------------
Emmanuel SCIEUR - Administrateur Systèmes
ESEO
4, rue Merlet de la Boulaye
BP30926 - 49009 Angers Cedex 1 - FRANCE
Email: emmanuel.scieur at eseo.fr
Tél. +33 (0)2 41 86 67 85
-------------------------------------------
-----Message d'origine-----
De : auth_ldap-bounces at rudedog.org [mailto:auth_ldap-bounces at rudedog.org] De la part de Aaron Smith
Envoyé : mercredi 11 octobre 2006 21:24
À : auth_ldap at rudedog.org
Objet : Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Definitely an SSL certificate problem as the following command from the
apache server:
Openssl s_client -connect n1-wrath.sandbox.com:3269 -CAfile
/etc/certs/sandbox-ca.pem
Results in:
CONNECTED(00000004)
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=n1-wrath.sandbox.com
verify error:num=21:unable to verify the first certificate
verify return:1
Though I *am* providing it with the correct CA certificate so I'm not
sure what the problem is. I'll try asking over on the openldap list.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: auth_ldap-bounces at rudedog.org
[mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Aaron Smith
Sent: Wednesday, October 11, 2006 1:39 PM
To: auth_ldap at rudedog.org
Subject: Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
Ok. I think I might have made at least SOME progress on this. I added
the patch that Andrew McAllister added to allow Openldap to connect to
an LDAPS:// URL and recompiled it. Now, when attempting to use SSL, I
get an error I the apache log file that says:
Could not connect to LDAP server: No such file or directory
If I don't use SSL, and connect to port 3268, it works fine. My gut
says this is a certificate problem and I suspect that the "file or
directory" it's looking for is the CA certificate for my domain. I put
a copy of this in /etc/certs and then put the following in openldap's
ldap.conf:
TLS_REQCERT never
TLS_CACERT /etc/certs/sandbox-ca-B64.cer
TLS_CACERTDIR /etc/certs
I'm currently authenticating to a domain controller on a test domain and
didn't do anything to "setup" TLS/SSL on the Domain controller. I've
read some instructions about adding certificate requests into Group
Policy which will "turn on" SSL and TSL and cause the servers to start
listening to ports 636 and 3269, however I didn't do this and the server
is ALREADY listening to those ports.....? I did install Certificate
Services so maybe that gets set up when you do that?
I know this is sounding like more of a windows question rather than
Auth_Ldap but I thought maybe someone on the list had run in to this
issue.
--------------------------------------------------------------------
Aaron Smith Aaron.Smith at kzoo.edu
System Administrator (269) 337-7496
Kalamazoo College
-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA at umsystem.edu]
Sent: Tuesday, October 10, 2006 11:38 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
I believe it uses 3269 for TLS
Andy
> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Aaron Smith
> Sent: Tuesday, October 10, 2006 9:46 AM
> To: auth_ldap at rudedog.org
> Subject: Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
>
> After I sent my last message, I found the problem with the
> "Operations Error" with Server 2003, had to point auth_ldap
> to port 3268. Still having trouble with TLS though. Does
> the AD server use a different port for TLS connections? I'll
> have to google that...
>
>
>
>
>
> --------------------------------------------------------------------
>
> Aaron Smith Aaron.Smith at kzoo.edu
>
> System Administrator (269) 337-7496
>
> Kalamazoo College
>
>
>
>
>
>
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
_______________________________________________
Auth_ldap mailing list
Auth_ldap at rudedog.org
http://www.rudedog.org/mailman/listinfo/auth_ldap
More information about the Auth_ldap
mailing list