|
Greetings. I haven't had to administer Apache for about 6 or 7 years now, but recently jumped back into it to setup a subversion repository for developers. I'm working on setting up subversion on Apache (Linux) to authenticate via ldaps to an Active Directory domain controller. Front end subversion client accesses Apache successfully via https. However, I cannot get Apache to talk ldaps while verifying the certs. I've been banging my head against this thing for weeks now, and am beyond frustrated. I've read & researched to no end - scoured the Internet - found others with a similar issue, but no fix yet. Any help anyone could provide would be greatly appreciated. Sincerely, Dave RHEL5.3 x86_64 RPMs: httpd-2.2.3-45 mod_ssl-2.2.3-45 openssl-0.9.8e-12 openldap-2.3.43-12 subversion-1.6.11-7 mod_dav_svn-1.6.11-7 Active Directory - Windows Server 2003 Was already in httpd.conf: LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so Added to ssl.conf: SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLCipherSuite SSLv3:+HIGH:+MEDIUM SSLCertificateFile /etc/pki/tls/http/apache_server_cert.pem SSLCertificateKeyFile /etc/pki/tls/apache_server_key.pem SSLCACertificateFile /etc/pki/CA/domain_controller_CA_cert.pem SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire The following httpd.conf configuration works for authenticating via ldaps without verifying the certificates: ############################## # Subversion config LDAPVerifyServerCert off <Location /repos> DAV svn SVNPath /opt/local/svn/repos SSLRequireSSL Order deny,allow Deny from All AuthName "Subversion Repository" AuthType Basic AuthBasicProvider ldap Satisfy any Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com" AuthLDAPBindPassword "password" </Location> CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION ############################## However, changing LDAPVerifyServerCert to "on" and adding LDAPTrustedGlobalCert pointing to CA cert (shown below) to verify the certificates gives me a 500 error in the subversion client (Tortoise), and the below error in ssl_error_log. I also tried adding a second LDAPTrustedGlobalCert pointing to apache_server cert, to no avail. httpd.conf: ############################## # Subversion config LDAPTrustedGlobalCert CA_BASE64 /etc/pki/CA/domain_controller_CA_cert.pem LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/http/apache_server_cert.pem ##### Tried with and without this line LDAPVerifyServerCert on <Location /repos> DAV svn SVNPath /opt/local/svn/repos SSLRequireSSL Order deny,allow Deny from All AuthName "Subversion Repository" AuthType Basic AuthBasicProvider ldap Satisfy any Require ldap-group CN=Subversion,CN=Users,DC=domain,DC=com AuthLDAPURL "ldaps://domain_controller.domain.com:636/CN=Users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" SSL AuthLDAPBindDN "CN=Apache,CN=Users,DC=domain,DC=com" AuthLDAPBindPassword "password" </Location> CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION ############################## ssl_error_log: [Wed May 04 17:31:42 2011] [warn] [client 192.168.151.74] [27453] auth_ldap authenticate: user subversion_test authentication failed; URI /repos [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] I run "openssl s_client -CApath /etc/pki/CA/ -connect domain_controller.domain.com:636" and receive "Verify return code: 0 (ok)", so it appears the SSL handshake is fine outside of Apache: CONNECTED(00000003) depth=1 /DC=com/DC=domain/CN=domain_controller verify return:1 depth=0 /C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com i:/DC=com/DC=domain/CN=domain_controller --- Server certificate -----BEGIN CERTIFICATE----- ... ... -----END CERTIFICATE----- subject=/C=US/ST=State/L=City/O=Org/OU=OrgUnit/CN=domain_controller.domain.com issuer=/DC=com/DC=domain/CN=domain_controller --- Acceptable client certificate CA names /DC=com/DC=domain/CN=DOMAIN ##### <--- not sure why its returning CN=DOMAIN and not CN=domain_controller ... ##### <--- the rest are standard CAs (Verisign, etc) ... ... --- SSL handshake has read 4776 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 ##### <--- also not sure why its stating TLSv1 protocol instead of SSL. Cipher : RC4-MD5 Session-ID: ......................................... Session-ID-ctx: Master-Key: ......................................... Key-Arg : None Krb5 Principal: None Start Time: 1304534983 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=0 |
|