# [HELP]Anyone using Apache2.x TLS/SSL auth through openldapS?

## axa

Hello All : 

Recently, i'm tried to use apache2.0.47 .htaccess authenticate through openldap .... But i'm failed to implement it....  :Crying or Very sad: 

Does anyone successful to implement in this issue??? any document?

i've read some of documents as follow, but still CAN NOT WORK...  :Mad: 

http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html

http://httpd.apache.org/docs-2.0/mod/mod_ldap.html

http://www.openldap.org/doc/admin21/tls.html

★ when i attempt using Mozilla or IE6.0 browser to view my restrict web

My apache error_log :

 *Quote:*   

> 
> 
> [Wed Jul 23 19:23:27 2003] [notice] LDAP: Built with OpenLDAP LDAP SDK
> 
> [Wed Jul 23 19:23:27 2003] [notice] LDAP: SSL support available
> ...

 

 My slapd debug mode

 *Quote:*   

> 
> 
> connection_get(10): got connid=0
> 
> connection_read(10): checking for input on id=0
> ...

 

★ when i using ldapsearch to verify TLS/SSL connection

i got some warning

ldap_start_tls: Operations error

        additional info: TLS already started

But, its seems TLS/SSL working fine. Because, I CAN got my entry from ldaps

 *Quote:*   

> 
> 
> backup www # ldapsearch -Z -W -H "ldaps://ldap.play.tv" -b "dc=play,dc=tv" "cn=axa.cheng" -D "cn=root,dc=play,dc=tv"
> 
> ldap_start_tls: Operations error
> ...

 

==================================

‧My apache2 commonapache2.conf ：

 *Quote:*   

> 
> 
> LDAPTrustedCA           /var/www/cacert.der
> 
> LDAPTrustedCAType       DER_FILE
> ...

 

‧My apache2 .htaccess file content：

 *Quote:*   

> 
> 
> AuthName        "OpenLDAPs"
> 
> AuthLDAPEnabled on
> ...

 

‧My openldap slapd.conf ：

 *Quote:*   

> 
> 
> TLSVerifyClient        never
> 
> TLSCipherSuite MEDIUM:LOW:+SSLv3+TLSv1:RSA
> ...

 

ANYONE CAN HELP ME TO TRACE THIS QUESITON?

I HAVE NO ANY IDEA ABOUT IT....  :Shocked: 

----------

## axa

@_@ anybody knows?

----------

## chbauer

Hi,

I just expended some time trying to make mod_auth_ldap talk to Novell eDirectory using TLS.

The first problem I see in your configuration are the lines:

```
LDAPTrustedCAType DER_FILE

LDAPTrustedCAType BASE64_FILE
```

You must choose one of the lines and remove the other. The format of your CA certificate file can be DER or PEM (BASE64), but not both at the same time.

According to my tests, the Apache LDAP client doesn't support DER files. You can test it removing the line 

```
LDAPTrustedCAType BASE64_FILE 
```

from commonapache2.conf and looking in your error log for a message claiming LDAPTrustedCAType MUST BE BASE64_FILE.

To make TLS work try this:

- Put this LDAP configuration in your commonapache2.conf file:

```
LDAPTrustedCAType BASE64_FILE 

LDAPTrustedCA /var/www/cacert.pem
```

- Convert your CA certificate from DER to PEM:

```
openssl x509 -inform DER -in /var/www/cacert.der -outform PEM -out /var/www/cacert.pem

```

- (Re)start your apache server.

Could you please confirm if that works for you?

----------

## axa

Hello chbauer, very very thanks for ur reply

i change my certificate format to PEM! and modified my LDAPTrustedCAType to BASE64_FILE

then i restart apache2 ,its working fine! very very thanks ur advice  :Laughing: 

BTW, i have a question ... HOW SHOULD I VERIFY MY mod_auth_ldap module that using TLS connect to authenticate to my LDAP server???

i've use following command to start my slapd and monitor every connection!

 *Quote:*   

> 
> 
> slapd -h ldap:/// ldaps:/// -d 255 -s 255
> 
> 

 

BUT, i DID NOT saw any "TLS" words in debug mode......

Could u propose any exact skill to verify mod_auth_ldap connection througt TLS???

 *chbauer wrote:*   

> Hi,
> 
> I just expended some time trying to make mod_auth_ldap talk to Novell eDirectory using TLS.
> 
> The first problem I see in your configuration are the lines:
> ...

 

----------

## chbauer

 *axa wrote:*   

> 
> 
> BTW, i have a question ... HOW SHOULD I VERIFY MY mod_auth_ldap module that using TLS connect to authenticate to my LDAP server???
> 
> i've use following command to start my slapd and monitor every connection!
> ...

 

I did some testing using the openldap 2.0.27 server and noticed that if I start it in the same way you did, it doesn't open the LDAPS port (636) for listening. You can check that running:

```
netstat -an
```

If I run:

```
slapd -h "ldap:/// ldaps:///" -d 255 -s 255
```

or

```
slapd -h ldap:/// -h ldaps:/// -d 255 -s 255
```

slapd opens the LDAPS port and I can see a lot of TLS* words in the debug output.

----------

