# Apache 2.0.52/mod_auth_ldap and Active Directory

## Llarian

I've been fighting with this all day without any useful answer.  I've tried damn near everything in all the threads I've found like this on google with no luck, so hopefully somebody here might be able to offer some help.  Trying to get Apache2 to authenticate again Active Directory.  (Currently Win2k)

First, the .htaccess config:

```
AuthLDAPEnabled on

AuthType Basic

AuthName "LDAP Auth Test"

#AuthLDAPBindDN "CN=Dylan Vanderhoof,OU=Engineering,OU=Operations,OU=Semaphore Users,DC=semaphore,DC=lan"

AuthLDAPBindDN "dylanv@semaphore.com"

AuthLDAPBindPassword "*******"

AuthLDAPURL "ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)"

require valid-user

```

I've used both DNs specified above with the following ldapsearch statement and it works fine there:

```
ldapsearch -LLL -H "ldap://dc1.semaphore.lan" -x -D "CN=Dylan Vanderhoof,OU=Engineering,OU=Operations,OU=Semaphore Users,DC=semaphore,DC=lan" -W -v -b "dc=semaphore,dc=lan" "(sAMAccountName=dylanv)"
```

Here's the error messages I get from apache:

```
[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(701): [992] auth_ldap url parse: `ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)'

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(722): [992] auth_ldap url parse: Host: dc1.semaphore.lan

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(724): [992] auth_ldap url parse: Port: 389

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(726): [992] auth_ldap url parse: DN: dc=semaphore,dc=lan

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(728): [992] auth_ldap url parse: attrib: sAMAccountName

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(730): [992] auth_ldap url parse: scope: subtree

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(735): [992] auth_ldap url parse: filter: (objectClass=user)

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(800): LDAP: auth_ldap not using SSL connections

[Mon Feb 14 16:47:32 2005] [debug] mod_auth_ldap.c(308): [client 192.168.1.68] [992] auth_ldap authenticate: using URL ldap://dc1.semaphore.lan/dc=semaphore,dc=lan?sAMAccountName?sub?(objectClass=user)

[Mon Feb 14 16:47:32 2005] [warn] [client 192.168.1.68] [992] auth_ldap authenticate: user dylanv authentication failed; URI /testdir [ldap_search_ext_s() for user failed][Operations error]
```

Any ideas?  Every similar thread I've found doesn't have an answer.  I know I'm authenticating correct, since if I change the AuthLDAPBindDN to an invalid user, it fails with a bind failure error with invalid credentials.

Thanks!

-Dylan

----------

## UberLord

Looks like you need to use ldaps:// instead of ldap:// in the URI

----------

## cselkirk

 *UberLord wrote:*   

> Looks like you need to use ldaps:// instead of ldap:// in the URI

 

I would have thought the same, but given the OP was able to "ldapsearch ldap://" port 389 ("ldap://") must be listening. I have no experience with Active Directory so I can't comment ITR, my suspicion would be that mod_ldap is missing the LDAPTrustedCA directive (not seen in the above .htaccess, is it defined in your apache configuration?). The mod_ldap documentation states "It specifies the directory path and file name of the trusted CA mod_ldap should use when establishing an SSL connection to an LDAP server".

HTH

----------

## Llarian

Yeah.  I'll eventually try it with SSL, but that's a royal PITA with Active Directory, so until I can get it to work without being secure, there's no reason to screw with the SSL part yet. 

I suppose I may have to use mod_auth_kerberos for the time being, but I'd prefer LDAP if I can make this work.

----------

## UberLord

cselkirk is right -  you need the LDAPTrustedCA directive

I discovered this today as I had the same issue moving to ldaps://

What I don't know yet is if you get the same error on a TLS connection which would use the ldap:// URI

----------

## Llarian

Ok, but that doesn't explain why I can't force mod_auth_ldap to use simple auth for testing, which is what I'm attempting here.  I'll give a shot at doing TLS I suppose.

----------

## Llarian

Got it working.

mod_auth_ldap implies it can do simple authentication, but it doesn't appear to actually work with AD, despite what ldapsearch returned.

Pulling the CA Cert from AD and switching to ldaps solved the problem.

Thanks,

Dylan

----------

## frilled

Might you enlighten me on how to do this? I do have the AD certificate at hand , but how to do it?

First problem: from the supposedly supported three certificate types, only BASE64_FILE seems to work (if I use anything else, the log says BASE64_FILE is needed). So I base64-encoded my certificate, and at least I get "SSL support available" in the log now. I doubt it works, though, so that's probably the origin of the error below:

I then used 

```
AuthLDAPURL             ldaps://my.server.dom/dc=server,dc=dom?sAMAccountName?sub?(objectClass=*)
```

but still, all I get is

```

[Thu Jan 12 13:49:59 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Thu Jan 12 13:49:59 2006] [notice] LDAP: SSL support available

[Thu Jan 12 13:50:00 2006] [notice] Apache configured -- resuming normal operations

[Thu Jan 12 13:50:07 2006] [warn] [client a.b.c.d] [27103] auth_ldap authenticate: user myuser authentication failed; URI /suck/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

```

If I don't use ldaps://, I get

```

[Thu Jan 12 14:01:12 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Thu Jan 12 14:01:12 2006] [notice] LDAP: SSL support available

[Thu Jan 12 14:01:12 2006] [notice] Apache configured -- resuming normal operations

[Thu Jan 12 14:01:15 2006] [warn] [client a.b.c.d] [27243] auth_ldap authenticate: user myuser authentication failed; URI /suck/ [ldap_search_ext_s() for user failed][Operations error]

```

----------

## Llarian

Sure thing!  

First, I had to add my CA cert to /etc/apache2/modules.d/46_mod_ldap

```
<IfModule util_ldap.c>

    LDAPTrustedCA /etc/ssl/certs/SemaphoreCA.pem

    LDAPTrustedCAType BASE64_FILE

</IfModule util_ldap.c>

```

I never got things to work without LDAPS, but AD seems to require its CA cert be installed.

My .htaccess files look like this once that is setup:

```

AuthLDAPEnabled on

AuthType Basic

AuthName "Realm"

AuthLDAPBindDN "CN=LDAP Lookup,OU=Service Accounts,OU=Company Users,DC=company,DC=lan"

AuthLDAPBindPassword "********"

AuthLDAPURL "ldaps://dc2.company.lan dc1.company.lan/dc=company,dc=lan?sAMAccountName?sub?(objectClass=user)"

AuthLDAPGroupAttributeIsDN on

require group CN=Company People,OU=Company Security Groups,DC=company,DC=lan

```

HTH!  Please let me know if that doesn't do it for you and I can probably help out a bit more.

-Dylan

----------

## frilled

Hi!

Thanks for the quick reply. Unfortunately, it still doesn't work. I already had most of the configuration like in your example, and I am beginning to suspect that I am missing some very basic stuff here.

To recap: I exported our Trusted CA certificate (again) as BAES64 encoded and put it in /etc/ssl/certs (thanks for pointing me there  :Smile: .

I have OpenLDAP and apache2 installed, and start with -D LDAP and -D AUTH_LDAP. The log says

```
[Fri Jan 13 07:46:03 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK

[Fri Jan 13 07:46:03 2006] [notice] LDAP: SSL support available

[Fri Jan 13 07:46:03 2006] [notice] Apache configured -- resuming normal operations
```

so I guess that's okay.

I can do ldapsearch as much as I want, but _only_ if I have an "ldap://...." URI set up in /etc/openldap/ldap.conf. If I change that to "ldaps://.....", I get

```
ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
```

Which is why I don't wonder that I can't get it working with apache  :Cool: 

I tried with 

```
TLS_CACERTDIR  /etc/ssl/certs
```

 in /etc/openldap/ldap.conf, but that doesn't change a thing.

So my problem is very basic, I suppose. Do I have to setup any slapd config (and if, which one, the one in /etc/openldap or in /etc/conf.d)?

Excuse my dumb asking, but LDAP is something I know virtually nothing about  :Shocked:  )

----------

## Llarian

Nope, you don't need slapd for the client.  Have you tried doing tcpdump and/or ssldump on the traffic to see what's happening?  

I honestly don't recall how I finally fixed this, as its been a while.  Since I got it to work once, its "Just Worked(TM)" since then.

Silly thought, but make sure the apache user has permissions to read the CA Cert, and that its ASCII armored?

-D

----------

## frilled

 *Quote:*   

> Nope, you don't need slapd for the client.  Have you tried doing tcpdump and/or ssldump on the traffic to see what's happening?  

 

Since I really don't know much about LDAP, I didn't think it would help. Maybe I'll strace/tcpdump it, but I doubt it's actually going to provide lots of insight.

 *Quote:*   

> Silly thought, but make sure the apache user has permissions to read the CA Cert, and that its ASCII armored?

 

Permissions shouldn't be a problem (644 like the others). By accident I found out about the virtually undocumented "c_rehash" command and used it, so the certificate also has a hash softlink now. And yes, I exported it as base64 encoded, which is easily verified by looking at the file itself.

I'm still at a loss here - thanks for your help, though. Problem is that I can't use winbindd->PAM authentication, since winbindd in ADS mode leaks memory like raging hell (has been since 3.0.8 I believe, and even the newest one doesn't work). I'll poke around some more.

----------

## frilled

Hm, looks like I found it. To get the ldapsearch working with ldaps://, I put

```
TLS_CACERTDIR   /etc/ssl/certs
```

 in /etc/openldap/ldap.conf.

That also made the Apache module work  :Razz: 

Now the last hurdle is to get it working with arbitrary groups (so far, only "require valid-user" worked).

[edit: works!]

Also, the lookup seems to take quite a while; there's a pause of 1-2 seconds after I send the credentials from browser to server ...

----------

## BigBeer

Did you guys actually get TLS working with mod_auth_ldap against AD??

I have SSL working, but I would like to go the extra mile and setup TLS.

Currently I have:

mm_mod_auth_ldap3.08 compiled from source

My AD CA cert in /etc/ssl/certs

My apache server cert signed by the AD CA

my /etc/openldap/ldap.conf is

```

TLS_CACERT /etc/ssl/certs/ADCAcert.pem

TLS_REQCERT demand

```

I have a ldaprc as

```

TLS_CERT /etc/apache2/ssl/server.crt

TLS_KEY /etc/apache2/ssl/server.key

```

and in /usr/lib/apache2/build/envvars

(to set the envvar as per the mod_auth_ldap doc)

```

LDAPCONF=/etc/apache2/ldaprc

export LDAPCONF

```

The config for mod_auth_ldap is

```

 <Location /svn>

                DAV svn

                SVNPath /mnt/svn/

                AuthName "Subversion repository"

                AllowOverride None

                Order allow,deny

                Allow from all

                AuthType Basic

                LDAP_Protocol_Version 3

                LDAP_StartTLS On

                LDAP_OpenLDAP_Initialize On

                LDAP_Server ad1.my.domain.com

                Base_DN "DC=my,DC=domain,DC=com"

                Bind_DN "CN=adreader,CN=users,DC=my,DC=domain,DC=com"

                Bind_Pass "password"

                UID_Attr "samaccountname"

                Require valid-user

                SSLRequireSSL

</Location>

```

This doesn't work  :Sad:  I always get 

```

mm_mod_auth_ldap.c (5315) - Could not initialize OpenLDAP SDK connection, LDAP server ad1.my.domain.com - Operations error (1)

```

In my Apache logs.

If I change my apache config to say 

```

LDAP_Server ldaps://ad1.my.domain.com:636

```

Then in my apache logs I get

```

mm_mod_auth_ldap.c (5428) - Starting TLS failed (-4): Decoding error

```

It is crazy though, because just using open ssl to connect to the ad server I can see the handshake work.

Using:

```

openssl s_client -connect ad01.my.domain.com:636 -state \

-CAfile /etc/ssl/certs/ADCAcert.pem \

-cert /etc/apache2/ssl/server.crt \

-key /etc/apache2.ssl.server.key 

```

The handshake will fail if I use port 389

Attempting to ldapsearch doesn't work:

```

ldapsearch -ZZ -H ldaps://ad01.my.domain.com -x -b "dc=my,dc=domain,dc=com" "(sn=doe)" -d 1

ldap_create

ldap_url_parse_ext(ldaps://ad01.my.domain.com)

ldap_extended_operation_s

ldap_extended_operation

ldap_send_initial_request

ldap_new_connection

ldap_int_open_connection

ldap_connect_to_host: TCP ad01.my.domain.com:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 192.168.1.2:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_ndelay_on: 3

ldap_is_sock_ready: 3

ldap_ndelay_off: 3

TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 1, err: 0, subject: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01, issuer: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01

TLS certificate verification: depth: 0, err: 0, subject: /CN=ad01.my.domain.com, issuer: /emailAddress=administrator@mydomain.com/C=US/ST=Georgia/L=Atlanta/O=Company/OU=IT/CN=CA01

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server certificate request A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client certificate A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write certificate verify A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL_connect:SSLv3 read finished A

ldap_open_defconn: successful

ldap_send_server_request

ber_flush: 31 bytes to sd 3

ldap_result msgid 1

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

wait4msg (infinite timeout), msgid 1

wait4msg continue, msgid 1, all 1

** Connections:

* host: ad01.my.domain.com  port: 636  (default)

  refcnt: 2  status: Connected

  last used: Tue Apr 25 12:49:31 2006

** Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** Response Queue:

   Empty

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 1

ber_get_next

ber_get_next: tag 0x30 len 22 contents:

ldap_read: message type extended-result msgid 1, original id 1

ber_scanf fmt ({iaa) ber:

read1msg:  0 new referrals

read1msg:  mark request completed, id = 1

request 1 done

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_free_connection

ldap_free_connection: refcnt 1

ldap_parse_extended_result

ber_scanf fmt ({iaa) ber:

ldap_msgfree

ldap_perror

ldap_start_tls: Decoding error (-4)

```

Since I can get it to work with openssl, I am thinking that I have something messed up with my openldap config.

Any thoughts?

Thanks!

--BigBeer

-- edit --

I forgot to add, that eventhough I see these errors, I still seem to be able to auth to AD, and from my packetdumps it appears to be encrypted.

----------

## frilled

Hm, I didn't have time to check out what you wrote in detail, jsut a quick thought though - did you run "c_rehash" after putting the certificate in /etc/ssl/certs dir?

I'll have a more detailed look later, but I hope there's more knowledge around than mine ...

----------

## BigBeer

 *wgi wrote:*   

> Hm, I didn't have time to check out what you wrote in detail, jsut a quick thought though - did you run "c_rehash" after putting the certificate in /etc/ssl/certs dir?
> 
> I'll have a more detailed look later, but I hope there's more knowledge around than mine ...

 

Thanks for the tip, but I have already run c_rehash. I can verify my certs using openssl too.

Well I kepts trolling goolge for "Active Directory TLS" and came accross a post on the sun java development forums about java code to do user manipulation over ldap to active directory.

In the post, the author clearly states

[qoute]

Note that Windows 2000 Domain Controllers do not support TLS.

[/quote]

And he has 2 different code samples, 1 with ssl for win2000 and 1 with tls for win 2003.

Since all my domain controllers are win2000 I am starting to think that TLS is not an option  :Sad: 

Can anyone else verify this?

--

BigBeer

----------

