[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a ldap->ldaps proxy for apache to AD



You didn't mention the OpenLDAP version, which is probably significant here. In older versions of OpenLDAP a single TLS context was used for slapd. In newer versions, there are separate contexts for slapd as a server vs slapd as a client (e.g. back-ldap). Try adding the equivalent TLS settings to slapd.conf.

Don Wood wrote:
Hello,

I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
apache to AD authentication.  The proxy is running on debian sarge and
I am using the standard packages.

I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
the AD server, but it appears that there are errors in the bind phase
for the SSL connection.

When I run "slapd -d 16383" I get the below messages in the dump.

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
Security Inc./CN=RSA Public Root CA
v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: Error, unable to get local issuer certificate

In slapd.conf I did not do any certificate configuration, as appache
will not be connecting with SSL.  OpenLDAP runs as root, so all of my
SSL configuration is in ~root/.ldaprc.  Am I understanding correctly
that this is how it should be done.  I have double-checked the paths
to the cert files, and they are all PEM encoded.  I also know the
files are valid because Apache is using them for server authentication
to the client.

Here are what I believe to be the applicable lines from my configuration.

/etc/ldap/slapd.conf
database       ldap
suffix         "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
uri            "ldaps://AD_SERVER.DOMAIN.com:636"

~~root/.ldaprc
TLS_CACERT /opt/cert/SSLchain.pem
TLS_CERT /opt/cert/host.domain.com.crt
TLS_KEY /opt/cert/host.domain.com.key
TLS_REQCERT demand

Not sure what I'm missing, but I'm new to OpenLDAP so it could be
something basic.  (I have checked the man pages, other docs,  and
searched the mailing lists.)




--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support