Mailing List Archive: Apache: Users

mod_authnz_ldap with wildcard certificate

Index | Next | Previous | View Threaded

Francois.Pernet at idsa

Nov 12, 2009, 9:59 PM

Post #1 of 6 (565 views)
Permalink

mod_authnz_ldap with wildcard certificate

hi all,

Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ...

I verified that certificate contains :
Subject : ....*.domain.com
X509v3 Subject Alternative Name:
DNS:*.domain.com, DNS:domain.com
Is there any known issue with wildcard certificates ?
How proper should be the syntax in order to use it ?

Thx in advance

Emmanuel.Bailleul at telindus

Nov 12, 2009, 11:40 PM

Post #2 of 6 (550 views)
Permalink

RE: mod_authnz_ldap with wildcard certificate [In reply to]

>De : Francois Pernet [mailto:Francois.Pernet [at] idsa]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users [at] httpd
>Objet : [users [at] http] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
> DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance

Hi,
How can you be sure this is an Apache problem ? Did you try first "by hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of the Apache logs when it fails ?

Regards.

Emmanuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Francois.Pernet at idsa

Nov 13, 2009, 12:12 AM

Post #3 of 6 (601 views)
Permalink

RE: mod_authnz_ldap with wildcard certificate [In reply to]

Hi,

you are right... more details ...
I must also specify that apache in SSL (https) is working fine with
these certificates ...I do not say this is an apache problem, but more
on the ldap module and certainly on the libraries under ...

A) Apache

Syntax inside Apache :
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_DER
/etc/apache2/ssl.apa/Comodo_Apache.cer
In this case, this is the certificate (Since i am autehnticating
against Novell edirectory, sometimes it requests the server certicate
itself as the CA). But i also used the CA cert from Comodo and it's the
same.

Error in apache log is only (and my server is available, of course):
[Fri Nov 13 07:37:53 2009] [warn] [client 192.168.10.171] [21099]
auth_ldap authenticate: user fpe authentication failed; URI / [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

B) Tests with OpenLdap

ldap.conf is :
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.txt
TLS_CERT /etc/openldap/certs/server.cer
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv2
TLS_REQCERT never
Testing with :
ldapsearch -H ldaps://myserver -D cn=binduser,ou=myou,o=idsa -W -x
"(cn=thisobject)"

Doesn't work. Only by putting TLS_REQCERT never in ldap.conf i can use
LDAPs (but without any cert validation in this case ... bad ;-()

hope this help. thx

>>> Emmanuel Bailleul <Emmanuel.Bailleul [at] telindus> 13.11.2009 08:40
>>>
>De : Francois Pernet [mailto:Francois.Pernet [at] idsa]
>Envoyé : vendredi 13 novembre 2009 07:00
>À : users [at] httpd
>Objet : [users [at] http] mod_authnz_ldap with wildcard certificate
>
>Hi all,
>
>Unable to use a wilcard certificate (*.domain.com from Comodo) with
LDAP authentication >in Apache 2.2.3-16.25.4 in LDAPS. The
authentication fails ...
>
>I verified that certificate contains :
>Subject : ....*.domain.com
>X509v3 Subject Alternative Name:
> DNS:*.domain.com, DNS:domain.com
>Is there any known issue with wildcard certificates ?
>How proper should be the syntax in order to use it ?
>
>Thx in advance

Hi,
How can you be sure this is an Apache problem ? Did you try first "by
hand" to perform for example an ldapsearch test ?
And would you show us snippets of your conf file(s) and especially of
the Apache logs when it fails ?

Regards.

Emmanuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

peter.schober at univie

Nov 13, 2009, 5:02 AM

Post #4 of 6 (541 views)
Permalink

Re: mod_authnz_ldap with wildcard certificate [In reply to]

* Francois Pernet <Francois.Pernet [at] idsa> [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.

I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Francois.Pernet at idsa

Nov 13, 2009, 6:03 AM

Post #5 of 6 (546 views)
Permalink

Re: mod_authnz_ldap with wildcard certificate [In reply to]

Ok I can also post this question on openldap forum, but :
- my main question is : is there anybody 's running wilcard certificates for LDAPs authentication under Apache ?
- configuration for openldap is different than inside the mod_ldap (only few directives in mod_ldap) so what if I can make it work with Openldap ? (which is the case but without cetificate validation).
-francois

>>> Peter Schober <peter.schober [at] univie> 13.11.2009 14:02 >>>
* Francois Pernet <Francois.Pernet [at] idsa> [2009-11-13 09:12]:
> B) Tests with OpenLdap
[...]
> Doesn't work.

I guess then you'd better get this working on its own, before
continuing with httpd (it's certainly easier to debug LDAP connections
with a full blown LDAP command line tool),
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

covener at gmail

Nov 13, 2009, 6:13 AM

Post #6 of 6 (550 views)
Permalink

Re: mod_authnz_ldap with wildcard certificate [In reply to]

On Fri, Nov 13, 2009 at 9:03 AM, Francois Pernet
<Francois.Pernet [at] idsa> wrote:
> Ok I can also post this question on openldap forum, but :
> - my main question is : is there anybody 's running wilcard certificates for
> LDAPs authentication under Apache ?
> - configuration for openldap is different than inside the mod_ldap (only few
> directives in mod_ldap) so what if I can make it work with Openldap ? (which
> is the case but without cetificate validation).

Wouldn't this be LDAPVerifyServerCert?

if you know the openldap you're using can't verify the cert, there's
not much sense in putting out a query to other Apache users.

If your openldap is linked with gnutls, try one linked with openssl?

--
Eric Covener
covener [at] gmail

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads