I am trying to build apache httpd 2.4.20 with LDAP over SSL support
No matter what I try I always get this as the first line in the error log file at start up:
[Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL support unavailable
I believe (through many hours or perseverance) I am using the correct configure cmdline args which should enable the httpd/apr/apr-util build to find:
openssl (latest from installed csw package)
openldap (latest from installed csw package)
apr 1.5.2 (from src build with httpd)
apr-util 1.5.4 (from src build with httpd)
pcre 8.36 (built and installed to /opt/pcre)
My configure runs without errors and with no LDAP or SSL warnings.
My make runs without error.
My install runs without error.
Httpd boots.
With LogLevel set to "trace8" here is what I get on the command line:
$ sudo ./apachectl start
[Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208): Setting LogLevel for all modules to trace8
[Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613): AH01311: LDAP: Setting referral chasing Off
[Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195] mod_authnz_ldap.c(1512): auth_ldap url parse: `ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub', Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib: sAMAccountName, scope: subtree, filter: (null), connection mode: using SSL
$
When trying to contact the server through a browser I am prompted for login/passwd.
If I used an NIS account (validated through local passwd/group files) it authenticates fine.
If I use an Active Directory (non-NIS) account it tries LDAP and this fails with errors in the error_log like:
[Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614): [client 101.172.90.164:58872] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199] http_request.c(393): [client 101.172.90.164:58872] Headers received from client:
[Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept-Language: en-US
[Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Connection: Keep-Alive
[Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117): [client 101.172.90.164:58872] auth phase 'check user' gave status 401: /
[Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199] http_filters.c(1003): [client 101.172.90.164:58872] Response sent with status 401, headers:
[Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199] http_filters.c(1012): [client 101.172.90.164:58872] Date: Thu, 16 Jun 2016 16:24:47 GMT
[Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199] http_filters.c(1015): [client 101.172.90.164:58872] Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] WWW-Authenticate: Basic realm=\\"Use NIS or Active Directory Login\\"
[Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Content-Length: 469
[Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Keep-Alive: timeout=2, max=50
[Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Connection: Keep-Alive
[Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531): mpm child 10333 (gen 0/slot 5) started
[Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614): [client 101.172.90.164:58882] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200] http_request.c(393): [client 101.172.90.164:58882] Headers received from client:
[Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept-Language: en-US
[Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Connection: Keep-Alive
[Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Authorization: Basic STgyNTcyODpTSlNoYXJrMWU=
[Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515): [client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
[Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200] mod_authnz_ldap.c(536): [client 101.172.90.164:58882] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount))
[Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client 101.172.90.164:58882] AH01695: auth_ldap authenticate: user MyADAccount authentication failed; URI / [LDAP: ldap initialization failed][Unknown error]
[Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117): [client 101.172.90.164:58882] auth phase 'check user' gave status 500: /
[Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200] http_filters.c(1003): [client 101.172.90.164:58882] Response sent with status 500, headers:
[Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200] http_filters.c(1012): [client 101.172.90.164:58882] Date: Thu, 16 Jun 2016 16:25:10 GMT
[Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200] http_filters.c(1015): [client 101.172.90.164:58882] Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Content-Length: 664
[Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Connection: close
[Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket
My configure env and cmdline was:
CC=/usr/global/opt/SunStudio12.2/bin/cc
export CC
exec ./configure \
--with-mpm=prefork \
--with-included-apr \
--with-pcre=/opt/pcre \
--enable-authnz-ldap \
--enable-ldap \
--with-ldap=ldap \
--with-ldap-lib=/opt/csw/lib \
--with-ldap-include=/opt/csw/include \
--enable-authnz-fcgi \
--enable-cgi \
--enable-ssl \
--with-ssl=/opt/csw \
--with-ssl-lib=/opt/csw/lib \
--with-ssl-include=/opt/csw/include \
--with-crypto \
--with-openssl=/opt/csw \
--enable-modules=all \
--enable-rewrite \
--prefix=/codeadm/http_servers/httpd-${INSTALL_VER}
In http.conf I am setting the path the the CA cert file:
# Specify CA certificate file
LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt
The configuration for the directory I am trying to browse to is:
Options Indexes FollowSymLinks MultiViews Includes
AuthName "Use NIS or Active Directory Login"
AllowOverride None
LDAPReferrals Off
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile "/work/www/HT/HTpasswd.dat"
AuthGroupFile "/work/www/HT/HTgroup.dat"
AuthLDAPURL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco
AuthLDAPBindPassword FakePassW0rd
Require valid-user
I have confirmed I can use the "ldapsearch" commandline tool from openldap with these values to query AD successfully.
Any thoughts on what I can do to make LDAP over SSL work?
Thanks
Mj