Re: LDAP over SSL on Slaris Sparc 5.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Problem Solved.

FYI after a lot of effort I have resolved this issue.

Basically there was a library mismatch in the dependencies that atp-util has with openssl/openldap. To solve this I have rebuilt:

pcre, openssl,berkeleydb,openldap,atp, atp-util , httpd

I rebuilt each component in order of dependency on Solaris Sparc using 64bit compile and link flags.
LDAP over SSL now works.

On Linux I did nothing!! It just worked out of the box.

MJ



On Thursday, June 16, 2016 5:15 PM, Mark Jacquet <mark_jacquet@xxxxxxxxx> wrote:


Based on this https://bz.apache.org/bugzilla/show_bug.cgi?id=41041  I decided to hard code some CPP and LD flags for the configure/make steps:

# Force the apr builds to find libs here and at run time load them from here.
CPPFLAGS='-I/opt/csw/include'
export CPPFLAGS
LDFLAGS='-R/opt/csw/lib -L/opt/csw/lib'
export LDFLAGS

This now gives me one nice new line in the error log and then the one that is not so nice:

[Thu Jun 16 16:28:48.191774 2016] [ldap:info] [pid 8328] AH01318: APR LDAP: Built with OpenLDAP LDAP SDK
[Thu Jun 16 16:28:48.192275 2016] [ldap:info] [pid 8328] AH01320: LDAP: SSL support unavailable: (null)

What causes httpd runtime to spit out that "support unavailable" message?

openssl is there, it is linked into the modules, the command line tools can connect to my AD server.

The only thing I can think of is that either my openssl package is too new (tls support dropped in 1.0.0t??) or that the openldap package (2.4.40) I have is not compatible (built) with this version of openssl.

So I am going to try to build openldap and openssl now.
Anyone know which newish versions work well together?

MJ


On Thursday, June 16, 2016 9:45 AM, Mark Jacquet <mark_jacquet@xxxxxxxxx.INVALID> wrote:


I am trying to build apache httpd 2.4.20 with LDAP over SSL support

No matter what I try I always get this as the first line in the error log file at start up:

[Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL support unavailable

I believe (through many hours or perseverance) I am using the correct configure cmdline args which should enable the httpd/apr/apr-util build to find:

openssl (latest from installed csw package)
openldap (latest from installed csw package)
apr 1.5.2 (from src build with httpd)
apr-util 1.5.4 (from src build with httpd)
pcre 8.36 (built and installed to /opt/pcre)

My configure runs without errors and with no LDAP or SSL warnings.
My make runs without error.
My install runs without error.
Httpd boots.

With LogLevel set to "trace8"  here is what I get on the command line:

$ sudo ./apachectl start
[Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208): Setting LogLevel for all modules to trace8
[Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613): AH01311: LDAP: Setting referral chasing Off
[Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195] mod_authnz_ldap.c(1512): auth_ldap url parse: `ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub', Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib: sAMAccountName, scope: subtree, filter: (null), connection mode: using SSL
$

When trying to contact the server through a browser I am prompted for login/passwd.
If I used an NIS account (validated through local passwd/group files) it authenticates fine.
If I use an Active Directory (non-NIS) account it tries LDAP and this fails with errors in the error_log like:

[Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614): [client 101.172.90.164:58872] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199] http_request.c(393): [client 101.172.90.164:58872] Headers received from client:
[Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Accept-Language: en-US
[Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Connection: Keep-Alive
[Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]   X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117): [client 101.172.90.164:58872] auth phase 'check user' gave status 401: /
[Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199] http_filters.c(1003): [client 101.172.90.164:58872] Response sent with status 401, headers:
[Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199] http_filters.c(1012): [client 101.172.90.164:58872]   Date: Thu, 16 Jun 2016 16:24:47 GMT
[Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199] http_filters.c(1015): [client 101.172.90.164:58872]   Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]   WWW-Authenticate: Basic realm=\\"Use NIS or Active Directory Login\\"
[Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]   Content-Length: 469
[Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]   Keep-Alive: timeout=2, max=50
[Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]   Connection: Keep-Alive
[Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]   Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531): mpm child 10333 (gen 0/slot 5) started
[Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614): [client 101.172.90.164:58882] Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200] http_request.c(393): [client 101.172.90.164:58882] Headers received from client:
[Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Accept-Language: en-US
[Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Connection: Keep-Alive
[Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]   Authorization: Basic STgyNTcyODpTSlNoYXJrMWU=
[Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Jun 16 09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515): [client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
[Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200] mod_authnz_ldap.c(536): [client 101.172.90.164:58882] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount))
[Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client 101.172.90.164:58882] AH01695: auth_ldap authenticate: user MyADAccount authentication failed; URI / [LDAP: ldap initialization failed][Unknown error]
[Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117): [client 101.172.90.164:58882] auth phase 'check user' gave status 500: /
[Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200] http_filters.c(1003): [client 101.172.90.164:58882] Response sent with status 500, headers:
[Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200] http_filters.c(1012): [client 101.172.90.164:58882]   Date: Thu, 16 Jun 2016 16:25:10 GMT
[Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200] http_filters.c(1015): [client 101.172.90.164:58882]   Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]   Content-Length: 664
[Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]   Connection: close
[Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]   Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket

My configure env and cmdline was:

CC=/usr/global/opt/SunStudio12.2/bin/cc
export CC

exec ./configure \
        --with-mpm=prefork \
        --with-included-apr \
        --with-pcre=/opt/pcre \
        --enable-authnz-ldap \
        --enable-ldap \
        --with-ldap=ldap \
        --with-ldap-lib=/opt/csw/lib \
        --with-ldap-include=/opt/csw/include \
        --enable-authnz-fcgi \
        --enable-cgi \
        --enable-ssl \
        --with-ssl=/opt/csw \
        --with-ssl-lib=/opt/csw/lib \
        --with-ssl-include=/opt/csw/include \
        --with-crypto \
        --with-openssl=/opt/csw \
        --enable-modules=all \
        --enable-rewrite \
        --prefix=/codeadm/http_servers/httpd-${INSTALL_VER}


In http.conf I am setting the path the the CA cert file:

# Specify CA certificate file
LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt

The configuration for the directory I am trying to browse to is:

    Options Indexes FollowSymLinks MultiViews Includes
    AuthName "Use NIS or Active Directory Login"
    AllowOverride None
    LDAPReferrals Off
    AuthType Basic
    AuthBasicProvider file ldap
    AuthUserFile "/work/www/HT/HTpasswd.dat"
    AuthGroupFile "/work/www/HT/HTgroup.dat"
    AuthLDAPURL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
    AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco
    AuthLDAPBindPassword FakePassW0rd
    Require valid-user

I have confirmed I can use the "ldapsearch" commandline tool from openldap with these values to query AD successfully.

Any thoughts on what I can do to make LDAP over SSL work?

Thanks
Mj







[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux