From owner-freebsd-questions@FreeBSD.ORG Fri Nov 20 01:45:01 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0BD21065670 for ; Fri, 20 Nov 2009 01:45:01 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5B0038FC17 for ; Fri, 20 Nov 2009 01:45:01 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so638568eye.9 for ; Thu, 19 Nov 2009 17:45:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=hse57AtZXzCSQH3X5PtgwAETeeCRLUYlEAJ2wjEcNog=; b=J2H1ASzUPvm5TNIAdMmtuRCW77orvtBzgDh33M02mHCZ+fJiXkb9UiJqcqxevZG9bC 6UQTUe86UFNbDoDm6f24B/mxJgX9CYK6k1c1j1/JkxCeQetQkjy/Vl69ZeyIk2SxkCHu fiemKKszQpPXe7xVG8eJrz4bLD2dk93qMXkEI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=Om8rILqRSokJaIeG0jCPiD9mJnomX4H6hQYcLWZnINqPFTzrJhnV24nHUhj12ENHS8 nHAd28dA4relpGtA+nvzNYqaRKj6CH5LRbx72sBvVJ9QsTYVoqN552g75LQ1XJVYontr 3Fs6Dc16iojbAjpIxvFZaAOGMnWP3Zgc5ZQWM= MIME-Version: 1.0 Received: by 10.213.110.201 with SMTP id o9mr740256ebp.35.1258681500086; Thu, 19 Nov 2009 17:45:00 -0800 (PST) From: Maxim Khitrov Date: Thu, 19 Nov 2009 20:44:40 -0500 Message-ID: <26ddd1750911191744s72bdf085q3dac7f3e80574916@mail.gmail.com> To: Free BSD Questions list Content-Type: text/plain; charset=UTF-8 Subject: Re: Apache 2.2 mod_ldap refusing to work over SSL/TLS (solved) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2009 01:45:01 -0000 On Thu, Nov 19, 2009 at 11:33 AM, Maxim Khitrov wrote: > Hello all, > > Wasted many hours on this and am no closer to a solution. I'm trying > to get apache 2.2 on FreeBSD 7.2 to authenticate against our active > directory (Windows 2003). > > The current status is that authentication works without problems when > SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections > to the server and run queries using the ldapsearch tool. Server > certificate verification works without any problems. > > The relevant portions of ldap.conf and httpd.conf are identical, so if > I can use SSL and TLS with ldapsearch, there is no reason why it > shouldn't be working from apache. Just to be on the safe side, I've > turned off server certificate verification with 'LDAPVerifyServerCert > Off' directive. > > So... Unencrypted authentication works, SSL authentication results in > "[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and > TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect > error]." I had nothing else to go on, so I decided to capture the > packets that are being sent between apache and active directory > servers. I then compared this packet capture with what ldapsearch does > (both using TLS). > > In summary, ldapsearch and apache send an identical > LDAP_SERVER_START_TLS_OID command. In both cases, the server responds > with an identical "Result: Status: Success, MatchedDN: NULL, > ErrorMessage: NULL" packet. But while ldapsearch then goes on to the > certificate and key exchange phase, apache responds with > "OperationHeader: Unbind Request, 2(0x2)" and terminates the > connection. > > As far as I can tell, it doesn't even get to the certificate > verification phase even though the STARTTLS command is successful. > Anyone have a clue on what could be causing this? > > - Max > I love the simplest of problems that takes 12 hours to solve... It was my mistake and a really dump one, but apache and openldap sure don't make it easy to figure this out. The next step after packet captures was to start digging through source. I finally ended up in tls_o.c, which is part of OpenLDAP. The whole problem had to do with the fact that the CA certificate I specified was in a directory readable only by root. That would certainly explain why ldapsearch worked without problems. Unfortunately, the certificate is loaded just prior to establishing an SSL or TLS connection. While one would expect an error for this condition to be raised when apache is first started (basic validation of LDAPTrustedGlobalCert directive), it actually manifests itself as a cryptic "Connect error" message during authentication. - Max