[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Communicate from php/apache to openLDAP over LDAPS



Hi, Thankyou for replying,

I went a bit deeper with my problem, I can now do LDAPS but without verifying certificate, 
here is what I did :

on the openLDAP server:

--->slapd.conf
TLSCertificateFile      ./ssl2/srvLDAP.cer
TLSCertificateKeyFile   ./ssl2/srvLDAP.key
TLSCACertificateFile    ./ssl2/cacert.cer
TLSVerifyClient         never

--->ldap.conf
TLS_CACERT      ./ssl2/cacert.cer
TLS_REQCERT     never

Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1

That's all for the openLDAP server, but not enought with apache.

On the apache server I created a folder C:\openldap\sysconf
in this directory i created openldap.conf and this contains :

TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT     never

(with cacert.cer in c:\openldap\sysconf\ssl)

It works from now BUT does NOT verify the certificate.

I got certificate and key to my Apache server, but I need now to specify it in apache so that apache will give the certificate to the openldap while doing LDAPS.

I know i have to change TLS_REQCERT never to TLS_REQCERT demand, I did it, and on openLDAP server I have this following error :

connection_read(1176): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(1176): got connid=0
connection_read(1176): checking for input on id=0
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return
 a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176

The question is now : How can I configure my certificate on apache SERVER so that I will be able to do LDAPS with PHP and certificates will be verified.
(I know should ask it on Apache list too)

Thank you in advance for all you help, and thank you for the help you already gave me.






2010/6/11 Indexer <indexer@internode.on.net>

On 11/06/2010, at 4:04 AM, Howard Chu wrote:

> Jérémy ESCOLANO wrote:
>> I tried to put host="srvLDAP" but it still doesn't work
>>
>> Actually the problem is configuring my APACHE server to make it considerate
>> theses certificate.
>> I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
>> where to have to put :
>>
>> TLS_CACERT      ./ssl2/cacert.cer
>> TLS_REQCERT     demand
>>
>> but how can we specify it on apache server ?
>
> Ask on an Apache forum.
>
>
You are probably correct in that you should be asking on an Apache forum. But anyway, here is a copy of my working apache config


       LDAPTrustedClientCert CERT_BASE64 /usr/local/share/certs/cacert.pem
       LDAPTrustedClientCert CERT_DER /usr/local/share/certs/cacert.crt
       LDAPTrustedMode TLS

 <Directory /usr/local/www/nagios>
    Order deny,allow
    Deny from all
    Allow from all
       AllowOverride none
    php_flag engine on
    php_admin_value open_basedir /usr/local/www/nagios/:/var/spool/nagios/

######
#<LDAP>
######

       AuthBasicProvider ldap
       AuthzLDAPAuthoritative on
       AuthLDAPRemoteUserAttribute uid
       AuthLDAPURL ldap://ldap.chocolate.lan/ou=Users,dc=chocolate,dc=lan?uid?sub
       #Require ldap-user william
       AuthLDAPDereferenceAliases never
       AuthLDAPGroupAttribute memberUid
       Require group
       Require ldap-group cn=nagios,ou=Apache,ou=Nemo,ou=Group,dc=chocolate,dc=lan
       AuthType Basic
       AuthName "Nagios"

######
#</LDAP>
######

  </Directory>

Also, a useful tool is, it tells you the current state of the ldap cache on the server.

       <Location /server/cache-info>
               SetHandler ldap-status
       </Location>

This is currently setup for group based authentication. remember that your group memberUid needs to be the full DN of the user, rather than just the uid. Your certificates also need to be readable by the apache user, and you only need the cacert.

>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/