I am trying to get ldaps to work through Apache 2.2.17 (Windows Server 2008). If I use ldap (plain text) my configuration works great.
LDAPTrustedGlobalCert CA_DER C:/wamp/certs/Trusted_Root_Certificate.cer
LDAPVerifyServerCert Off
<Location />
AuthLDAPBindDN "CN=corpsvcatlas,OU=Service Accounts,OU=u00958,OU=00958,DC=hca,DC=corpad,DC=net"
AuthLDAPBindPassword ..removed..
AuthLDAPURL "ldaps://gc-hca.corpad.net:3269/dc=hca,dc=corpad,dc=net?sAMAccountName?sub"
AuthType Basic
AuthName "USE YOUR WINDOWS ACCOUNT"
AuthBasicProvider ldap
AuthUserFile /dev/null
require valid-user
</Location>
I also tried the other encryption choices besides CA_DER just to be safe, with no luck.
Finally, I also needed this with Apache tomcat. For tomcat I used the tomcat JRE and ran a line like this:
keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias mycert -file Trusted_Root_Certificate.cer
After doing the above line ldaps worked greate via tomcat. This lets me know that my certificate is a-ok.
Update:
Both ldap modules are turned on, since using ldap instead of ldaps works fine.
When I run a git clone this is the error returned:
C:\Temp>git clone http://eqb9718@localhost/git/Liferay.git
Cloning into Liferay...
Password:
error: The requested URL returned error: 500 while accessing http://eqb9718@loca
lhost/git/Liferay.git/info/refs
fatal: HTTP request failed
access.log has this:
127.0.0.1 - eqb9718 [23/Nov/2011:18:25:12 -0600] "GET /git/Liferay.git/info/refs service=git-upload-pack HTTP/1.1" 500 535
127.0.0.1 - eqb9718 [23/Nov/2011:18:25:33 -0600] "GET /git/Liferay.git/info/refs HTTP/1.1" 500 535
apache_error.log has nothing. Is there any more verbose logging I can turn on or better tests to do?
Update 2:
I can run wireshark on the apache server and I can clearly see the outgoing connection but I can't really make heads or tails of anything else. I'm no wireshark guru, just looks like jargon.
Also, I used ldap browser to verify that ldaps is working great from the machine.
Update 3:
I turned apache logging to debug and this is the error coming back:
[3016] auth_ldap authenticate: user eqb9718 authentication failed; URI /git/Liferay.git/info/refs [LDAP: ldap_simple_bind_s() failed][Server Down]
Now keep in mind that on this same Server 2008 machine I can use LDAP Browser to connect via ldaps to port 3269 and nothing is "down". What is that error telling us?
Update 4:
Here are the results from running openssl s_client -connect gc-hca.corpad.net: 3269 -showcerts: http://pastebin.com/2yEGN4C1
I have also tried the openssl command going directly to a domain controller on port 636 which works and I have tried it in my httpd.conf which produces the same error. I don't know if it is important to note that when I go directly to a controller (389 or 636) I have to add a container to the url like ou=group,dc=hca,etc. That makes using the GC a must. Must be a bug in mod_ldap since I found that solution from many other posts.
Update 5:
I started up apache manually instead of via a service and this is the ldap debug that is printing out:
C:\wamp\bin\apache\Apache2.2.17\bin>httpd
[Thu Nov 24 19:19:08 2011] [debug] util_ldap.c(1769): LDAP: SSL verify server ce
rtificate - FALSE
[Thu Nov 24 19:19:08 2011] [debug] mod_authnz_ldap.c(1010): [3144] auth_ldap url
parse: `ldaps://gc-hca.corpad.net:3269/dc=hca,dc=corpad,dc=net?sAMAccountName?s
ub?(objectClass=*)', Host: gc-hca.corpad.net:3269, Port: 3269, DN: dc=hca,dc=cor
pad,dc=net, attrib: sAMAccountName, scope: subtree, filter: (objectClass=*), con
nection mode: using SSL
Best Answer
Your
LDAPVerifyServerCert Offis rendering the trusted root configuration inert - so trust is not an issue.Are there really that number of spaces in
OU=Service Accounts?And do you have
mod_ldapandmod_authnz_ldapenabled?If neither of those are the issue, can you check your error logs for anything useful?