Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian)

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


simon.walter at hokkaidotracks

Nov 19, 2009, 12:16 AM

Post #1 of 5 (672 views)
Permalink
Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian)
Hi all,

This is my first message to the list. Greetings.

First off I'll start by saying that I've scoured the search engines and
searched this list and found only bits and pieces. I'm not going to
report any problems right away.

My questions is: Does anyone know of a document that describes what I
need to make Apache authenticate via LDAP over SSL or TLS connecting to
a MS AD server?

I've able to do this successfully with plaintext (no SSL or TLS).
However I get warnings on my AD server saying that it is a security risk.

I'm don't know much about Windows, and I could have a problem with the
AD server and would like to know how I can test that. I've tried to
connect to the AD server with JXplorer and LDAPExplorertool2 and have
failed with SSL and TLS. I also tried using ldapsearch and got an error:
"ldap_sasl_interactive_bind_s: Unknown authentication method" Then I
installed the package for gssapi "libsasl2-modules-gssapi-heimdal". Now
I get a different error:
"SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local
error (-2)"

I'm not sure what types of connections MS AD supports: SSL, TLS, SASL...
??? How can I know for sure that the server side is fine?

Anyway, If someone can show me a working apache config and or a document
which describes what I need to do to get this setup working, I'd be very
grateful.

I'll reply once I've tried all your suggestions.

Thanks for your help.

Simon


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


aw at ice-sa

Nov 19, 2009, 12:49 AM

Post #2 of 5 (641 views)
Permalink
Re: Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian) [In reply to]
Simon Walter wrote:
...

>
> My questions is: Does anyone know of a document that describes what I
> need to make Apache authenticate via LDAP over SSL or TLS connecting to
> a MS AD server?
>
Greetings.

There are so many variations of authentication and so many
misunderstandings in that domain, that I'd like to figure out first if
you are not chasing the wrong rabbit.
Can you describe a bit more what exactly is the issue you are trying to
solve, overall ?
I presume that what you mean above, is not that Apache itself would
authenticate to an AD server for some internal Apache functional reason;
but rather that Apache should authenticate /the client/ (browser) by
means of a check with an AD server, right ?

Some specific questions in that direction :
- what are the clients which, ultimately, need to be authenticated ?
- how is the link between the Ubuntu Apache host, and the MS AD server ?
Is it a purely internal (and thus relatively secure) network link, or
does it go through some insecure network section (like the Internet) ?
- since an MS AD back-end system is involved, there is a good chance
that what you ultimately want, is that the clients (browsers) would be
authenticated via their MS Windows Domain user-id. Is that correct ?
(Or do there exist clients, which need to access Apache-controlled
resources, but which are NOT already logged-in in a Windows Domain ?)
- do the users accept to have a login page the first time they access an
Apache application, or do they expect not having to login, considering
that they are already logged-in with their workstation in the Domain ?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


simon.walter at hokkaidotracks

Nov 22, 2009, 4:40 PM

Post #3 of 5 (607 views)
Permalink
Re: Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian) [In reply to]
Hi André and thanks for your reply.

My reply is below yours. Cheers!

André Warnier wrote:
> Simon Walter wrote:
> ...
>>
>> My questions is: Does anyone know of a document that describes what I
>> need to make Apache authenticate via LDAP over SSL or TLS connecting
>> to a MS AD server?
>>
> Greetings.
>
> There are so many variations of authentication and so many
> misunderstandings in that domain, that I'd like to figure out first if
> you are not chasing the wrong rabbit.
> Can you describe a bit more what exactly is the issue you are trying
> to solve, overall ?
> I presume that what you mean above, is not that Apache itself would
> authenticate to an AD server for some internal Apache functional reason;
> but rather that Apache should authenticate /the client/ (browser) by
> means of a check with an AD server, right ?
>
> Some specific questions in that direction :
> - what are the clients which, ultimately, need to be authenticated ?
> - how is the link between the Ubuntu Apache host, and the MS AD server ?
> Is it a purely internal (and thus relatively secure) network link, or
> does it go through some insecure network section (like the Internet) ?
> - since an MS AD back-end system is involved, there is a good chance
> that what you ultimately want, is that the clients (browsers) would be
> authenticated via their MS Windows Domain user-id. Is that correct ?
> (Or do there exist clients, which need to access Apache-controlled
> resources, but which are NOT already logged-in in a Windows Domain ?)
> - do the users accept to have a login page the first time they access
> an Apache application, or do they expect not having to login,
> considering that they are already logged-in with their workstation in
> the Domain ?
Hi André and thanks for your reply.

Yes, the httpd client (browser) is requesting a restricted resource
(Trac). All the users exist on a AD. Everything works fine, *except* I
want secure the communication between Apache and the LDAP server (MS
AD). The network is private(NATed) and protected via firewalls etc.

Until now people have had to type in their windows login password once
again to access the resource (Trac). However the browser can save the
password, so it's not terrible. But, yes, pretty much any client
accessing Trac would have already logged on to the domain. I guess being
able to omit that extra prompt would be wonderful.

I hope that cleared up anything I forgot to mention.

Thanks for your help,

Simon

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


daniel.goulder at and

Nov 23, 2009, 2:13 AM

Post #4 of 5 (598 views)
Permalink
RE: Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian) [In reply to]
Hi Simon I know exactly what you are referring to as I have attempted to configure the same authentication (I seem to remember it was with Apache 2.2.6). Unfortunately, when I tried it, LDAPS authentication with Apache resulted in segfaults. If you have managed to get things working over plain LDAP (port 389) then you are nearly there... All you have to do is change the protocol and port and Apache should do the rest Of course you need to configure AD for the SSL/TLS encryption... http://lmgtfy.com/?q=active+directory+ldaps"]http://lmgtfy.com/?q=active+directory+ldaps
From: Simon Walter <simon.walter [at] hokkaidotracks> [mailto:Simon Walter <simon.walter [at] hokkaidotracks>]
Sent: 19 November 2009 08:16
To: users [at] httpd
Subject: [users [at] http] Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian)

Hi all,

This is my first message to the list. Greetings.

First off I'll start by saying that I've scoured the search engines and
searched this list and found only bits and pieces. I'm not going to
report any problems right away.

My questions is: Does anyone know of a document that describes what I
need to make Apache authenticate via LDAP over SSL or TLS connecting to
a MS AD server?

I've able to do this successfully with plaintext (no SSL or TLS).
However I get warnings on my AD server saying that it is a security risk.

I'm don't know much about Windows, and I could have a problem with the
AD server and would like to know how I can test that. I've tried to
connect to the AD server with JXplorer and LDAPExplorertool2 and have
failed with SSL and TLS. I also tried using ldapsearch and got an error:
"ldap_sasl_interactive_bind_s: Unknown authentication method" Then I
installed the package for gssapi "libsasl2-modules-gssapi-heimdal". Now
I get a different error:
"SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local
error (-2)"

I'm not sure what types of connections MS AD supports: SSL, TLS, SASL...
??? How can I know for sure that the server side is fine?

Anyway, If someone can show me a working apache config and or a document
which describes what I need to do to get this setup working, I'd be very
grateful.

I'll reply once I've tried all your suggestions.

Thanks for your help.

Simon


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See < URL:http://httpd.apache.org/userslist.html"]http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email"]http://www.messagelabs.com/email
______________________________________________________________________

______________________________________________________________________
This e-mail and any attached files are intended for the named addressee only. It contains information, which may be confidential and legally privileged and also protected by copyright. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify the sender immediately and then delete it from your system. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of Associated Newspapers Limited or any of its subsidiary companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way of this e-mail. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these faciliti es.
Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London, W8 5TT. Registered No 84121 England.


simon.walter at hokkaidotracks

Nov 23, 2009, 6:41 PM

Post #5 of 5 (589 views)
Permalink
Re: Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian) [In reply to]
daniel.goulder [at] and wrote:
> If you have managed to get things working over plain LDAP (port 389)
> then you are nearly there...
>
> All you have to do is change the protocol and port and Apache should do
> the rest
>
I guess my problem is not with Apache. I'll post on the ldap mailing
list to see what they say.
>
> Of course you need to configure AD for the SSL/TLS encryption...
>
> http://lmgtfy.com/?q=active+directory+ldap
And yes, of course I have searched the web, the forums, the mailing list
archives, and RTFineM. I'm off to figure out how to verify that my AD is
really speaking SSL. According to MS tech site, it does, but I don't
trust the info on there. It seems there is a big difference between
Server 2000 and 2008.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.