httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Jacquet <mark_jacq...@yahoo.com.INVALID>
Subject [users@httpd] LDAP over SSL on Slaris Sparc 5.10
Date Thu, 16 Jun 2016 16:45:30 GMT
I am trying to build apache httpd 2.4.20 with LDAP over SSL support
No matter what I try I always get this as the first line in the error log file at start up:
[Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL support unavailable
I believe (through many hours or perseverance) I am using the correct configure cmdline args
which should enable the httpd/apr/apr-util build to find:
openssl (latest from installed csw package)
openldap (latest from installed csw package)apr 1.5.2 (from src build with httpd)
apr-util 1.5.4 (from src build with httpd)pcre 8.36 (built and installed to /opt/pcre)
My configure runs without errors and with no LDAP or SSL warnings.My make runs without error.My
install runs without error.Httpd boots.
With LogLevel set to "trace8"  here is what I get on the command line:
$ sudo ./apachectl start
[Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208): Setting LogLevel
for all modules to trace8
[Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613): AH01311: LDAP:
Setting referral chasing Off
[Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195] mod_authnz_ldap.c(1512):
auth_ldap url parse: `ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub',
Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib: sAMAccountName,
scope: subtree, filter: (null), connection mode: using SSL
$ 

When trying to contact the server through a browser I am prompted for login/passwd.If I used
an NIS account (validated through local passwd/group files) it authenticates fine.If I use
an Active Directory (non-NIS) account it tries LDAP and this fails with errors in the error_log
like:
[Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614): [client 101.172.90.164:58872]
Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199] http_request.c(393): [client 101.172.90.164:58872]
Headers received from client:
[Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Accept-Language: en-US
[Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Connection: Keep-Alive
[Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872]  
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client
101.172.90.164:58872] AH01626: authorization result of Require valid-user : denied (no authenticated
user yet)
[Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client
101.172.90.164:58872] AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet)
[Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117): [client 101.172.90.164:58872]
auth phase 'check user' gave status 401: /
[Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199] http_filters.c(1003): [client
101.172.90.164:58872] Response sent with status 401, headers:
[Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199] http_filters.c(1012): [client
101.172.90.164:58872]   Date: Thu, 16 Jun 2016 16:24:47 GMT
[Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199] http_filters.c(1015): [client
101.172.90.164:58872]   Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]  
WWW-Authenticate: Basic realm=\\"Use NIS or Active Directory Login\\"
[Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]  
Content-Length: 469
[Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]  
Keep-Alive: timeout=2, max=50
[Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]  
Connection: Keep-Alive
[Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872]  
Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872]
core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531): mpm child 10333
(gen 0/slot 5) started
[Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872]
core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614): [client 101.172.90.164:58882]
Request received from client: GET / HTTP/1.1
[Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200] http_request.c(393): [client 101.172.90.164:58882]
Headers received from client:
[Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Accept: text/html, application/xhtml+xml, image/jxr, */*
[Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Accept-Language: en-US
[Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
[Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Accept-Encoding: gzip, deflate, peerdist
[Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Host: newyahoo2.oak.sap.corp:8686
[Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Connection: Keep-Alive
[Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
X-P2P-PeerDist: Version=1.1
[Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
[Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg==
[Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882]  
Authorization: Basic STgyNTcyODpTSlNoYXJrMWU=
[Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client
101.172.90.164:58882] AH01626: authorization result of Require valid-user : denied (no authenticated
user yet)
[Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client
101.172.90.164:58882] AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet)[Thu Jun 16 09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515):
[client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
[Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200] mod_authnz_ldap.c(536):
[client 101.172.90.164:58882] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount))
[Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client 101.172.90.164:58882]
AH01695: auth_ldap authenticate: user MyADAccount authentication failed; URI / [LDAP: ldap
initialization failed][Unknown error]
[Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117): [client 101.172.90.164:58882]
auth phase 'check user' gave status 500: /
[Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200] http_filters.c(1003): [client
101.172.90.164:58882] Response sent with status 500, headers:
[Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200] http_filters.c(1012): [client
101.172.90.164:58882]   Date: Thu, 16 Jun 2016 16:25:10 GMT
[Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200] http_filters.c(1015): [client
101.172.90.164:58882]   Server: Apache/2.4.20 (Unix)
[Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]  
Content-Length: 664
[Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]  
Connection: close
[Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882]  
Content-Type: text/html; charset=iso-8859-1
[Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882]
core_output_filter: flushing because of FLUSH bucket
[Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882]
core_output_filter: flushing because of FLUSH bucket

My configure env and cmdline was:
CC=/usr/global/opt/SunStudio12.2/bin/cc
export CC

exec ./configure \
        --with-mpm=prefork \
        --with-included-apr \
        --with-pcre=/opt/pcre \
        --enable-authnz-ldap \
        --enable-ldap \
        --with-ldap=ldap \
        --with-ldap-lib=/opt/csw/lib \
        --with-ldap-include=/opt/csw/include \
        --enable-authnz-fcgi \
        --enable-cgi \
        --enable-ssl \
        --with-ssl=/opt/csw \
        --with-ssl-lib=/opt/csw/lib \
        --with-ssl-include=/opt/csw/include \
        --with-crypto \
        --with-openssl=/opt/csw \
        --enable-modules=all \
        --enable-rewrite \
        --prefix=/codeadm/http_servers/httpd-${INSTALL_VER}


In http.conf I am setting the path the the CA cert file:
# Specify CA certificate file
LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt

The configuration for the directory I am trying to browse to is:
    Options Indexes FollowSymLinks MultiViews Includes
    AuthName "Use NIS or Active Directory Login"
    AllowOverride None
    LDAPReferrals Off
    AuthType Basic
    AuthBasicProvider file ldap
    AuthUserFile "/work/www/HT/HTpasswd.dat"
    AuthGroupFile "/work/www/HT/HTgroup.dat"
    AuthLDAPURL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub
    AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco
    AuthLDAPBindPassword FakePassW0rd
    Require valid-user
I have confirmed I can use the "ldapsearch" commandline tool from openldap with these values
to query AD successfully.
Any thoughts on what I can do to make LDAP over SSL work?
ThanksMj



Mime
View raw message