Authentication against LDAP fails if SSL or TLS is used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Authentication against LDAP fails if SSL or TLS is used
From: Mxrgus Pxrt <margus@xxxxxxxx>
Date: Tue, 02 Mar 2010 14:45:08 +0200
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Hello,

I have following problem:

Precondition:
- Some Location is protected with authentication against LDAP
- Apache is configured to connect LDAP server over SSL (LDAPS on port 686)

Steps:
- Open https://server/protected_url

- Input username of existing user (must be defined in LDAP base) andWRONG PASSWORD


Result:

- After entering wrong password (sometimes you have to do it more thanonce), Internal Error 500 is displayed in browser- For all the clients server is going to show Internal Error 500 error(you have to restart Apache to solve the problem)


Notes:
- Problem does not appear, if using 389 without crypt
- If using 389 with STARTTLS problem exists


Has anyone delt with similar problem?



Detailed information:

Installed packages:

ii apache2 2.2.9-10+lenny6 ApacheHTTP Server metapackageii apache2-mpm-worker 2.2.9-10+lenny6 ApacheHTTP Server - high speed threaded modelii apache2-utils 2.2.9-10+lenny6 utilityprograms for webserversii apache2.2-common 2.2.9-10+lenny6 ApacheHTTP Server common filesii libapache2-svn 1.5.1dfsg1-4Subversion server modules for Apacheii libgnutls26 2.4.2-6+lenny2 the GNUTLS library - runtime libraryii libneon27-gnutls 0.28.2-6.1 An HTTPand WebDAV client library (GnuTLS enabled)


Log:

IN CASE USER DOES NOT EXIST:

Ldap:

Mar 2 14:28:52 ldap.server slapd[26521]: conn=0 fd=16 ACCEPT fromIP=http.server:36293 (IP=0.0.0.0:636)Mar 2 14:28:52 ldap.server slapd[26521]: conn=0 fd=16 TLS establishedtls_ssf=128 ssf=128

Mar  2 14:28:52 ldap.server slapd[26521]: conn=0 op=0 BIND dn="" method=128

Mar 2 14:28:52 ldap.server slapd[26521]: conn=0 op=0 RESULT tag=97err=0 text=Mar 2 14:28:52 ldap.server slapd[26521]: conn=0 op=1 SRCHbase="dc=ria,dc=ee" scope=0 deref=0 filter="(objectClass=*)"Mar 2 14:28:52 ldap.server slapd[26521]: conn=0 op=1 SEARCH RESULTtag=101 err=0 nentries=1 text=

Mar  2 14:28:52 ldap.server slapd[26521]: conn=0 op=2 UNBIND
Mar  2 14:28:52 ldap.server slapd[26521]: conn=0 fd=16 closed

Mar 2 14:28:59 ldap.server slapd[26521]: conn=1 fd=16 ACCEPT fromIP=http.server:34546 (IP=0.0.0.0:636)Mar 2 14:28:59 ldap.server slapd[26521]: conn=1 fd=16 TLS establishedtls_ssf=128 ssf=128

Mar  2 14:28:59 ldap.server slapd[26521]: conn=1 op=0 BIND dn="" method=128

Mar 2 14:28:59 ldap.server slapd[26521]: conn=1 op=0 RESULT tag=97err=0 text=Mar 2 14:28:59 ldap.server slapd[26521]: conn=1 op=1 SRCHbase="dc=ria,dc=ee" scope=2 deref=3filter="(&(objectClass=*)(uid=userdoesnotexist))"

Mar  2 14:28:59 ldap.server slapd[26521]: conn=1 op=1 SRCH attr=uid

Mar 2 14:28:59 ldap.server slapd[26521]: <= bdb_equality_candidates:(uid) not indexedMar 2 14:28:59 ldap.server slapd[26521]: conn=1 op=1 SEARCH RESULTtag=101 err=0 nentries=0 text=



Apache:

==> /srv/log/apache2/http.server-access.log <==

client.address - - [02/Mar/2010:14:28:52 +0200] "GET /test/ HTTP/1.1"401 290 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7)Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7"client.address - userdoesnotexist [02/Mar/2010:14:29:00 +0200] "GET/test/ HTTP/1.1" 401 290 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7"


==> /srv/log/apache2/http.server-error.log <==

[Tue Mar 02 14:29:00 2010] [warn] [client client.address] [12246]auth_ldap authenticate: user userdoesnotexist authentication failed; URI/test/ [User not found][No such object][Tue Mar 02 14:29:00 2010] [error] [client client.address] useruserdoesnotexist not found: /test/






IN CASE USER EXISTS:

Ldap:

ar 2 14:29:20 ldap.server slapd[26521]: conn=16 fd=18 ACCEPT fromIP=http.server:34547 (IP=0.0.0.0:636)Mar 2 14:29:20 ldap.server slapd[26521]: conn=16 fd=18 TLS establishedtls_ssf=128 ssf=128

Mar  2 14:29:20 ldap.server slapd[26521]: conn=16 op=0 BIND dn="" method=128

Mar 2 14:29:20 ldap.server slapd[26521]: conn=16 op=0 RESULT tag=97err=0 text=Mar 2 14:29:20 ldap.server slapd[26521]: conn=16 op=1 SRCHbase="dc=ria,dc=ee" scope=2 deref=3filter="(&(objectClass=*)(uid=mxrguspxrt))"

Mar  2 14:29:20 ldap.server slapd[26521]: conn=16 op=1 SRCH attr=uid

Mar 2 14:29:20 ldap.server slapd[26521]: <= bdb_equality_candidates:(uid) not indexedMar 2 14:29:20 ldap.server slapd[26521]: conn=16 op=1 SEARCH RESULTtag=101 err=0 nentries=1 text=Mar 2 14:29:20 ldap.server slapd[26521]: conn=16 op=2 BINDdn="cn=Margus Pärt,ou=people,ou=Infrastruktuur,ou=RIA,dc=ria,dc=ee"method=128Mar 2 14:29:20 ldap.server slapd[26521]: conn=16 op=2 RESULT tag=97err=49 text=

Mar  2 14:29:20 ldap.server slapd[26521]: conn=16 op=3 UNBIND
Mar  2 14:29:20 ldap.server slapd[26521]: conn=16 fd=18 closed

Mar 2 14:29:27 ldap.server slapd[26521]: conn=17 fd=18 ACCEPT fromIP=http.server:34548 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=17 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=17 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=18 fd=18 ACCEPT fromIP=http.server:34549 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=18 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=18 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=19 fd=18 ACCEPT fromIP=http.server:34550 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=19 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=19 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=20 fd=18 ACCEPT fromIP=http.server:34551 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=20 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=20 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=21 fd=18 ACCEPT fromIP=http.server:34552 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=21 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=21 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=22 fd=18 ACCEPT fromIP=http.server:34553 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=22 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=22 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=23 fd=18 ACCEPT fromIP=http.server:34554 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=23 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=23 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=24 fd=18 ACCEPT fromIP=http.server:34555 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=24 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=24 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=25 fd=18 ACCEPT fromIP=http.server:34556 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=25 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=25 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=26 fd=18 ACCEPT fromIP=http.server:34557 (IP=0.0.0.0:636)Mar 2 14:29:27 ldap.server slapd[26521]: conn=26 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:27 ldap.server slapd[26521]: conn=26 fd=18 closed(connection lost)Mar 2 14:29:27 ldap.server slapd[26521]: conn=27 fd=18 ACCEPT fromIP=http.server:34558 (IP=0.0.0.0:636)Mar 2 14:29:28 ldap.server slapd[26521]: conn=27 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:28 ldap.server slapd[26521]: conn=27 fd=18 closed(connection lost)Mar 2 14:29:28 ldap.server slapd[26521]: conn=28 fd=18 ACCEPT fromIP=http.server:34559 (IP=0.0.0.0:636)Mar 2 14:29:28 ldap.server slapd[26521]: conn=28 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:28 ldap.server slapd[26521]: conn=28 fd=18 closed(connection lost)Mar 2 14:29:28 ldap.server slapd[26521]: conn=29 fd=18 ACCEPT fromIP=http.server:34560 (IP=0.0.0.0:636)Mar 2 14:29:28 ldap.server slapd[26521]: conn=29 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:28 ldap.server slapd[26521]: conn=29 fd=18 closed(connection lost)Mar 2 14:29:28 ldap.server slapd[26521]: conn=30 fd=18 ACCEPT fromIP=http.server:34561 (IP=0.0.0.0:636)Mar 2 14:29:28 ldap.server slapd[26521]: conn=30 fd=18 TLS establishedtls_ssf=128 ssf=128Mar 2 14:29:28 ldap.server slapd[26521]: conn=30 fd=18 closed(connection lost)




Apache:


First time:

==> /srv/log/apache2/http.server-access.log <==

client.address - mxrguspxrt [02/Mar/2010:14:29:21 +0200] "GET /test/HTTP/1.1" 401 290 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7"


==> /srv/log/apache2/http.server-error.log <==

[Tue Mar 02 14:29:21 2010] [warn] [client client.address] [12251]auth_ldap authenticate: user mxrguspxrt authentication failed; URI/test/ [ldap_simple_bind_s() to check user credentials failed][Invalidcredentials][Tue Mar 02 14:29:21 2010] [error] [client client.address] usermxrguspxrt: authentication failure for "/test/": Password Mismatch



Second time:

==> /srv/log/apache2/http.server-access.log <==

client.address - mxrguspxrt [02/Mar/2010:14:29:28 +0200] "GET /test/HTTP/1.1" 500 341 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7"


==> /srv/log/apache2/http.server-error.log <==

[Tue Mar 02 14:29:29 2010] [warn] [client client.address] [12251]auth_ldap authenticate: user mxrguspxrt authentication failed; URI/test/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

^C






Best regards,
Margus












---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Prev by Date: Re: Feature request: Set lbfactor to 0 in mod_proxy_balancer
Next by Date: Re: FIPS 140_2 compliant for mod_proxy?
Previous by thread: large amount of R in server-status
Next by thread: Reverse proxy with mod_rewrite using RewriteRule [P]
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]