LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ldaps on apache is unable to connect (https://www.linuxquestions.org/questions/linux-newbie-8/ldaps-on-apache-is-unable-to-connect-4175659249/)

witchkinkofangmar 08-16-2019 12:52 PM
ldaps on apache is unable to connect
 
Trying to authenticate certain sites/subdirectories with AD.

I generated a cert on the Domain Controller, converted it from a .cer to .pem file, and place it on the webserver and it is still not working.


Code:
LDAPConnectionTimeout 10
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/ldap/cert.pem

<AuthnProviderAlias ldap ldap-da>
    AuthLDAPURL "ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-users>
    AuthLDAPURL "ldaps://domain.name.com:636/OU=Users,OU=users,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<Directory "/var/www/html/website.dir/>
    AuthType Basic
    AuthName "LDAP login"
    AuthBasicProvider ldap ldap-da ldap-users
    AuthLDAPURL            "ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN          "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword    "password"
    #Require valid-user
    #order deny,allow
    #deny from all
    Require all denied
    #satisfy any
    require valid-user
    require ip ip.range.
    require ip range.
    require ip specific.ip
    require user user.name
</Directory>

[authnz_ldap:debug] [pid 16405] mod_authnz_ldap.c(501): [client ip.address:55136] AH01691: auth_ldap authenticate: using URL ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*), referer: https://website.dir
[Fri Aug 16 11:46:31.079744 2019] [ldap:debug] [pid 16405] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Fri Aug 16 11:46:31.212785 2019] [authnz_ldap:info] [pid 16405] [client ip.address:55136] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [User not found][No such object], referer: https://website

dc.901 08-16-2019 04:44 PM
Have you looked at the event viewer to see if the request is even reaching there?

From the webserver, via CLI, does this connect:
Code:
nc -v <domain.name.com> 636

witchkinkofangmar 08-16-2019 05:27 PM
It looks like it is

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ip.address:636.

I just finished exporting another cert from the domain controller and converting the pfx to pem and am now getting this error:

Fri Aug 16 16:32:31.178591 2019] [authnz_ldap:info] [pid 28089] [client ip.address:49021] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: https://website

dc.901 08-18-2019 04:21 PM
Quote:
Originally Posted by witchkinkofangmar (Post 6025897)
It looks like it is

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ip.address:636.

I just finished exporting another cert from the domain controller and converting the pfx to pem and am now getting this error:

Fri Aug 16 16:32:31.178591 2019] [authnz_ldap:info] [pid 28089] [client ip.address:49021] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: https://website
Great! that shows from CLI, it connects, and your firewall rule on Windows side is ok.
However, for your web app; you will still need to look at event viewer logs to get better idea of what's happening.

witchkinkofangmar 08-19-2019 11:34 AM
I finally got it working and here's what I did:

Downloaded Windows 8.1 SDK, which includes a tool called makecert: https://developer.microsoft.com/en-u...ds/sdk-archive, https://docs.microsoft.com/en-us/win...rypto/makecert

Added Service and Computer Snap-ins for MMC and then generated the cert with this command and the makecert tool:

Code:
C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sr localmachine -ss My -pe -r -n "CN=dc,DC=domain,DC=name" -len 2048 -m 12 ldaps.cer
(Per this config: https://www.sans.org/reading-room/wh...trollers-33784)

Then I exported the key to my desktop and imported to the 'Trusted Root Certification Authority' store.

I then copied it over to my apache web server running on a CentOS 7 box and converted it from .pfk to .pem like so:
Code:
openssl pkcs12 -in ADLDAPS.pfx -clcerts -nokeys -out ADLDAPS.pem
and specified the path in my apache ldap.conf
Code:
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/ldap/ADLDAPS.pem


All times are GMT -5. The time now is 11:28 AM.