httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Benza <mikebe...@gmail.com>
Subject Re: [users@httpd] LDAP hangs when trying to authenticate
Date Sun, 02 Nov 2008 16:57:06 GMT
Well, I've solved this problem with a lot of help.  The issue is that 
Apache's mod_ldap is ignoring "LDAPVerifyServerCert Off"  I had to 
replace that with:

LDAPTrustedMode SSL
LDAPVerifyServerCert On

LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/Thawte_Premium_Server_CA.pem

(if you have the same problem, make sure you use the right CA 
certificate...I'm not sure how to figure out which to use -- the person 
who helped me told me)

- Mike Benza

Tod wrote:
> Mike Benza wrote:
>>   Hello,
>>
>> I've been stuck with a problem where LDAP hangs when it's trying to 
>> authenticate.
>>
>> I'm running Apache on Ubuntu 8.04, Hardy Heron.  This problem occurs 
>> with the Ubuntu version (both 32 and 64 bit) as well as compiled 
>> directly from source.  I can produce the problem in Apache 2.2.8 
>> (from Ubuntu) and 2.2.10 (compiled from source).  I posted about the 
>> problem on ubuntuforums.org <http://ubuntuforums.org> a few weeks ago 
>> but I didn't get any useful responses.  I've searched the web 
>> multiple times.  Tonight I downloaded the source and built it, and I 
>> still have the problem.
>>
>> I've a <Location> in a certain site that needs to be ldap 
>> authenticated. It doesn't get authenticated. Here is the location:
>>
>> <Location /blah>
>>   AuthzLDAPAuthoritative Off
>>   AuthName "EWB Documents"
>>   AuthType Basic
>>   AuthBasicProvider ldap
>>   AuthLDAPBindDN "cn=ewb,ou=Service Accounts,dc=rice,dc=edu"
>>   AuthLDAPBindPassword *********
>>   AuthLDAPURL "ldaps://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid 
>> <http://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid>"
>>
>>   <Limit GET POST PROPFIND OPTIONS REPORT>
>>      Require valid-user
>>   </Limit>
>> </Location>
>>
>> When I browse to http://site/blah, I get prompted for my username and 
>> password. I've confirmed that this <Location> configuration is 
>> causing the prompt, since when I remove the <Location>, I don't get 
>> prompted for a username and password. After I type my username and 
>> password in and click OK, nothing happens on the browser side. I can 
>> watch my browser send my credentials back the server, and I can see 
>> the beginning of an LDAP conversation using wireshark on the server. 
>> However, after the conversation begins, it abruptly stops, and 
>> nothing happens. It just sits there.
>>
>> I tested logging into the LDAP with a variation of the following 
>> (using a hostname and port, but I don't remember the format and 
>> switches now):
>> Code:
>>
>> ldapsearch -x -W -D "cn=ewb,ou=service accounts,dc=rice,dc=edu" -b 
>> "ou=People,dc=rice,dc=edu" '(uid=XYZ)'
>>
>> It prompts me for my password (the ***s in the above apache 
>> configuration), then finds the user named XYZ.
>>
>> So, in summary I can connect via ldaps and lookup a user at the 
>> command line, but somewhere, apache fails.
>>
>> I turned logging in apache to debug, and discovered that ldap doesn't 
>> log much:
>> Code:
>>
>> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory: 
>> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
>> [Wed Sep 17 20:07:10 2008] [notice] suEXEC mechanism enabled 
>> (wrapper: /usr/lib/apache2/suexec)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes 
>> of entropy
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA 
>> private keys (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH 
>> parameters (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) 
>> servers for SSL
>> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against 
>> Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
>> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory: 
>> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
>> [Wed Sep 17 20:07:10 2008] [notice] Digest: generating secret for 
>> digest authentication ...
>> [Wed Sep 17 20:07:10 2008] [notice] Digest: done
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: 
>> ewb.rice.edu <http://ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: 
>> wiki.ewb.rice.edu <http://wiki.ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
>> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: 
>> ewb.rice.edu <http://ewb.rice.edu>
>> [Wed Sep 17 20:07:10 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
>> [Wed Sep 17 20:07:10 2008] [info] LDAP: SSL support available
>> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes 
>> of entropy
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA 
>> private keys (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH 
>> parameters (512/1024 bits)
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(374): 
>> shmcb_init allocated 512000 bytes of shared memory
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(554): entered 
>> shmcb_init_memory()
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(576): for 
>> 512000 bytes, recommending 4266 indexes
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(619): 
>> shmcb_init_memory choices follow
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(621): 
>> division_mask = 0x1F
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(623): 
>> division_offset = 64
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(625): 
>> division_size = 15998
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(627): 
>> queue_size = 1604
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(629): index_num 
>> = 133
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(631): 
>> index_offset = 8
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(633): 
>> index_size = 12
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(635): 
>> cache_data_offset = 8
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(637): 
>> cache_data_size = 14386
>> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(650): leaving 
>> shmcb_init_memory()
>> [Wed Sep 17 20:07:10 2008] [info] Shared memory session cache 
>> initialised
>> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) 
>> servers for SSL
>> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against 
>> Server: Apache/2.2.8, Library: OpenSSL/0.9.8g
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24788 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24788 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24789 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24789 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24790 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24790 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24791 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24791 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24792 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24792 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24793 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24793 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24794 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24794 for (*)
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
>> scoreboard slot 0 in child 24795 for worker proxy:reverse
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
>> proxy:reverse already initialized
>> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
>> initialized single connection worker 0 in child 24795 for (*)
>> [Wed Sep 17 20:07:10 2008] [notice] Apache/2.2.8 (Ubuntu) DAV/2 
>> SVN/1.4.6 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 
>> OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 configu
>> red -- resuming normal operations
>>
>> Nothing is logged in the error log when I try to load the page 
>> requiring my username and password.
>>
>> Now here is where it gets a bit more complicated: If it's hanging 
>> waiting to authenticate and I restart apache, the authentication 
>> succeeds, then apache restarts just fine.
>>
>> I don't know very much about the LDAP server.  I know there are a 
>> number of machines with apache that successfully authenticate against 
>> this ldap.
>>
>> Has anyone had problems like this? Please help me. I can't find 
>> anyone who knows enough about apache and ldap. I've been working at 
>> this for weeks now. Thank you.
>>
>> - Mike Benza
>>
>
> Try doing the ldapsearch from the apache box to ldap.rice.edu to rule 
> out firewall a issue.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message