LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-16-2019, 12:52 PM   #1
witchkinkofangmar
Member
 
Registered: May 2019
Posts: 59

Rep: Reputation: Disabled
ldaps on apache is unable to connect


Trying to authenticate certain sites/subdirectories with AD.

I generated a cert on the Domain Controller, converted it from a .cer to .pem file, and place it on the webserver and it is still not working.


Code:
LDAPConnectionTimeout 10
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/ldap/cert.pem

<AuthnProviderAlias ldap ldap-da>
    AuthLDAPURL "ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<AuthnProviderAlias ldap ldap-users>
    AuthLDAPURL "ldaps://domain.name.com:636/OU=Users,OU=users,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword "password"
</AuthnProviderAlias>

<Directory "/var/www/html/website.dir/>
    AuthType Basic
    AuthName "LDAP login"
    AuthBasicProvider ldap ldap-da ldap-users
    AuthLDAPURL             "ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN          "CN=web ldap,OU=Accounts,OU=Domain Admin,DC=dcname,DC=com"
    AuthLDAPBindPassword    "password"
    #Require valid-user
    #order deny,allow
    #deny from all
    Require all denied
    #satisfy any
    require valid-user
    require ip ip.range.
    require ip range.
    require ip specific.ip
    require user user.name
</Directory>

[authnz_ldap:debug] [pid 16405] mod_authnz_ldap.c(501): [client ip.address:55136] AH01691: auth_ldap authenticate: using URL ldaps://domain.name.com:636/OU=Accounts,OU=Domain Admin,DC=dcname,DC=com?sAMAccountName?sub?(objectClass=*), referer: https://website.dir
[Fri Aug 16 11:46:31.079744 2019] [ldap:debug] [pid 16405] util_ldap.c(379): AH01278: LDAP: Setting referrals to On.
[Fri Aug 16 11:46:31.212785 2019] [authnz_ldap:info] [pid 16405] [client ip.address:55136] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [User not found][No such object], referer: https://website

Last edited by witchkinkofangmar; 08-19-2019 at 11:33 AM.
 
Old 08-16-2019, 04:44 PM   #2
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 844

Rep: Reputation: 257Reputation: 257Reputation: 257
Have you looked at the event viewer to see if the request is even reaching there?

From the webserver, via CLI, does this connect:
Code:
nc -v <domain.name.com> 636
 
1 members found this post helpful.
Old 08-16-2019, 05:27 PM   #3
witchkinkofangmar
Member
 
Registered: May 2019
Posts: 59

Original Poster
Rep: Reputation: Disabled
It looks like it is

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ip.address:636.

I just finished exporting another cert from the domain controller and converting the pfx to pem and am now getting this error:

Fri Aug 16 16:32:31.178591 2019] [authnz_ldap:info] [pid 28089] [client ip.address:49021] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: https://website

Last edited by witchkinkofangmar; 08-16-2019 at 05:35 PM. Reason: added more info
 
Old 08-18-2019, 04:21 PM   #4
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS/RHEL, openSuSE/SLES, Ubuntu
Posts: 844

Rep: Reputation: 257Reputation: 257Reputation: 257
Quote:
Originally Posted by witchkinkofangmar View Post
It looks like it is

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ip.address:636.

I just finished exporting another cert from the domain controller and converting the pfx to pem and am now getting this error:

Fri Aug 16 16:32:31.178591 2019] [authnz_ldap:info] [pid 28089] [client ip.address:49021] AH01695: auth_ldap authenticate: user user.name authentication failed; URI /website.dir [LDAP: ldap_simple_bind() failed][Can't contact LDAP server], referer: https://website
Great! that shows from CLI, it connects, and your firewall rule on Windows side is ok.
However, for your web app; you will still need to look at event viewer logs to get better idea of what's happening.
 
1 members found this post helpful.
Old 08-19-2019, 11:34 AM   #5
witchkinkofangmar
Member
 
Registered: May 2019
Posts: 59

Original Poster
Rep: Reputation: Disabled
I finally got it working and here's what I did:

Downloaded Windows 8.1 SDK, which includes a tool called makecert: https://developer.microsoft.com/en-u...ds/sdk-archive, https://docs.microsoft.com/en-us/win...rypto/makecert

Added Service and Computer Snap-ins for MMC and then generated the cert with this command and the makecert tool:

Code:
C:\Program Files (x86)\Windows Kits\8.1\bin\x64>makecert -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sr localmachine -ss My -pe -r -n "CN=dc,DC=domain,DC=name" -len 2048 -m 12 ldaps.cer
(Per this config: https://www.sans.org/reading-room/wh...trollers-33784)

Then I exported the key to my desktop and imported to the 'Trusted Root Certification Authority' store.

I then copied it over to my apache web server running on a CentOS 7 box and converted it from .pfk to .pem like so:
Code:
openssl pkcs12 -in ADLDAPS.pfx -clcerts -nokeys -out ADLDAPS.pem
and specified the path in my apache ldap.conf
Code:
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/ldap/ADLDAPS.pem
 
  


Reply

Tags
active directory, centos7, certificates, httpd, ldaps


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to connect client to Active Directory via LDAPS zokstar Linux - Server 0 09-01-2015 11:44 AM
Apache SVN LDAPs keith2045 Linux - Server 1 10-15-2012 08:26 PM
certificate issue connecting to ldaps on SLES rimvydazas SUSE / openSUSE 1 08-06-2007 03:17 PM
authentication with ldaps rimvydazas Linux - Security 1 08-03-2007 02:36 PM
LDAPS client cannot connect lnthai2002 Linux - Networking 0 09-15-2006 12:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration