# [Solved] getting Apache 2.2 to authenticate via secure ldap

## tomblue

Hi all,

I'm struggling getting my Apache server to authenticate via secure ldap against an existing Windows 2k3 domain controller so that user can access a subversion repository with their known user credentials. Unencrypted authentication using "ldap://..." works fine though!

- I've exported the server certificate from the Windows box and stored it on the Gentoo server.

- converted it to pem format 

```
openssl x509 -in ActiveDirectory_Cert.pem.cer -out ActiveDirectory_Cert.pem
```

- checked that the certificate actually works 

```
openssl s_client -connect dc01.domain.prv:3269 -CAfile /etc/openldap/ssl/ActiveDirectory_Cert.pem
```

which returned a satisfying 

```
Verify return code: 0 (ok)
```

- tweaked the ldap.conf and added the following lines of code: 

```
TLS_REQCERT allow

TLS_CACERT /etc/openldap/ssl/ActiveDirectory_Cert.pem

SASL_SECPROPS maxssf = 0
```

- checked that ldapsearch can access the directory 

```
ldapsearch -x -H ldaps://dc01.domain.prv:3269 -D 'CN=LDAP Account,OU=Admin Accounts,DC=domain,DC=prv' -W
```

which returns tons of active directory objects. So the server can talk to the AD controller perfectly via ldaps.

Apache refuses to contact the domain controller though - it is unfortunately not giving me much information when running in debug mode as well. Only error I'm getting is 

```
[warn] [client 10.xxx.xxx.xxx] [5973] auth_ldap authenticate: user user01 authentication failed; URI /svn/project [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
```

I've set up the following configs:

47_mod_dav_svn.conf:

```
<IfDefine SVN>

        <IfModule !mod_dav_svn.c>

                LoadModule dav_svn_module       modules/mod_dav_svn.so

        </IfModule>

                LDAPVerifyServerCert Off

                LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/ssl/ActiveDirectory_Cert.pem

        <Location /svn/>

                DAV svn

                SVNParentPath /var/svn/repositories/

                SVNListParentPath on

                RedirectMatch ^(/svn)$ $1/

                AuthBasicProvider ldap

                AuthUserFile /dev/null

                 AuthType Basic

                 order allow,deny

                 allow from all

                 AuthName "SVN Login"

                 AuthLDAPURL ldaps://dc01.domain.prv:3269/OU=EMEA,DC=domain,DC=prv?sAMAccountName?sub?(objectClass=user)

                 #AuthLDAPURL ldap://dc01.domain.prv:3268/OU=EMEA,DC=domain,DC=prv?sAMAccountName?sub?(objectClass=user)

                 AuthLDAPBindDN svnadmin@domain.prv

                 AuthLDAPBindPassword hackme

                Require ldap-group cn=svnusers,ou=Access_Groups,ou=xxx,ou=Germany,ou=EMEA,dc=domain,dc=prv

                Require ldap-group cn=svnadmins,ou=Access_Groups,ou=xxx,ou=Germany,ou=EMEA,dc=domain,dc=prv

                satisfy all

        </Location>

                Include /var/svn/httpd/*.conf

        <IfDefine SVN_AUTHZ>

                <IfModule !mod_authz_svn.c>

                        LoadModule authz_svn_module     modules/mod_authz_svn.so

                </IfModule>

        </IfDefine>

</IfDefine>

```

00_default_vhost.conf:

```
<IfDefine DEFAULT_VHOST>

Listen 80

NameVirtualHost *:80

<VirtualHost *:80>

        ServerName svnserver

        Include /etc/apache2/vhosts.d/default_vhost.include

        <IfModule mpm_peruser_module>

                ServerEnvironment apache apache

        </IfModule>

</VirtualHost>

</IfDefine>

```

default_vhost.include:

```
<Directory "/var/www/localhost/htdocs">

        Options Indexes FollowSymLinks

        AllowOverride All

        Order allow,deny

        Allow from all

</Directory>

<IfModule alias_module>

        ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/"

</IfModule>

<Directory "/var/www/localhost/cgi-bin">

        AllowOverride None

        Options None

        Order allow,deny

        Allow from all

</Directory>

```

packages:

```
www-servers/apache-2.2.10

net-nds/openldap-2.3.43

```

What am I missing? I'm pretty sure that there's some option or setting I'm missing... Any help would be greatly appreciated.

Thanks in advance!!Last edited by tomblue on Wed Jul 29, 2009 7:19 am; edited 1 time in total

----------

## cach0rr0

you might change Apache's LogLevel to 'debug' and see if it doesn't give more information

I keep finding heaps of threads ranging from CN mismatch (which shouldnt affect you, as you've disabled verification), to bugs in gnutls

None of them seem to fit here, but in every case seemed raising the level of logging proved useful.

----------

## tomblue

Hi,

I already set Apache to debug but had no success.... It writes quite heavily into the logfile. The LPAD part writes some more information too. That it is using server dc01.domain.prv on port 3269 and that it is using the filters set in the AuthLDAPURL, even that it is using SSL.

But when it comes to the crucial point it just says: "Can't contact LDAP server" and is done with it. No details regarding certificate issues or something.

Regards

----------

## malern

Are you sure this directive is correct?

```
AuthLDAPBindDN svnadmin@domain.prv
```

I realise you've changed it for privacy reasons, but I would have expected a format more like

```
AuthLDAPBindDN CN=svnadmin,DC=domain,DC=prv
```

At least that's the format I use with openldap, maybe it's different with Windows AD?

----------

## cach0rr0

 *malern wrote:*   

> Are you sure this directive is correct?
> 
> ```
> AuthLDAPBindDN svnadmin@domain.prv
> ```
> ...

 

good catch

though, I will say that's the userPrincipalName in AD, and is in MS world the preferred auth format going forward, over DOMAIN\user. 

possible, though

----------

## cach0rr0

you know, the other thing you can do with hopes of seeing a more usable error....

strace apache, attempt the auth, and see if you don't get the full text of the error

----------

## tomblue

The authentication works with either 

```
AuthLDAPBindDN svnadmin@domain.prv
```

 or 

```
AuthLDAPBindDN CN=svnadmin,DC=domain,DC=prv
```

 when using unencrypted ldap connection. I've tested it both ways.   :Smile: 

Ohhhh and another thing: I've got it working!!! Just updated to the latest stable version:

```
app-admin/apache-tools-2.2.11

www-servers/apache-2.2.11-r2
```

Didn't even need to change my config. Update, restart, done! Must have been some glitch in the version I was running... Damn that has cost me some hours!   :Very Happy: 

Thanks cach0rr0 and malern for your replies!!

Cheers

----------

