From owner-freebsd-questions@FreeBSD.ORG Thu Nov 19 16:33:26 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9642C106566B for ; Thu, 19 Nov 2009 16:33:26 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 3208F8FC17 for ; Thu, 19 Nov 2009 16:33:25 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so518278eye.9 for ; Thu, 19 Nov 2009 08:33:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=z49RHlPlvC098MJAG+cq1k8Dy6HrRkUjNPO2JreLIoQ=; b=P2joIrm7hU+unbhp0B/C9opBCQGhNO84NJJDF3fBEafREfAiQtm8aucGazOd/OvTya 0hfmhQEv7pWpwnvt0Sb4teF8Y+eqhHjYpYywmCAiPe3cXyOMzz/MGjeusjjsSfQNCZvB vrnRQgU+tC6ZT3InWbk9kQbFA6O8EClot39nE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=ntkA+Ql+TFYu6B4REtt75JbvLWtGldr7FwOvfghSoYdKfniTOs4ShzVDuwtxOoKw+D +auH1gE3d3ie3ZmacnUmEf7nrnxyjZsdaC8NCLK8ltHbMb5BZDdrHishiIv+y1ClykFK XOIjqcMrgn5b/hRQlZ7j+Vg/pj67aM8ibTOd4= MIME-Version: 1.0 Received: by 10.213.2.73 with SMTP id 9mr209303ebi.21.1258648405187; Thu, 19 Nov 2009 08:33:25 -0800 (PST) From: Maxim Khitrov Date: Thu, 19 Nov 2009 11:33:05 -0500 Message-ID: <26ddd1750911190833l2b5ff6beucc652f7ed338c1a@mail.gmail.com> To: Free BSD Questions list Content-Type: text/plain; charset=UTF-8 Subject: Apache 2.2 mod_ldap refusing to work over SSL/TLS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2009 16:33:26 -0000 Hello all, Wasted many hours on this and am no closer to a solution. I'm trying to get apache 2.2 on FreeBSD 7.2 to authenticate against our active directory (Windows 2003). The current status is that authentication works without problems when SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections to the server and run queries using the ldapsearch tool. Server certificate verification works without any problems. The relevant portions of ldap.conf and httpd.conf are identical, so if I can use SSL and TLS with ldapsearch, there is no reason why it shouldn't be working from apache. Just to be on the safe side, I've turned off server certificate verification with 'LDAPVerifyServerCert Off' directive. So... Unencrypted authentication works, SSL authentication results in "[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect error]." I had nothing else to go on, so I decided to capture the packets that are being sent between apache and active directory servers. I then compared this packet capture with what ldapsearch does (both using TLS). In summary, ldapsearch and apache send an identical LDAP_SERVER_START_TLS_OID command. In both cases, the server responds with an identical "Result: Status: Success, MatchedDN: NULL, ErrorMessage: NULL" packet. But while ldapsearch then goes on to the certificate and key exchange phase, apache responds with "OperationHeader: Unbind Request, 2(0x2)" and terminates the connection. As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Anyone have a clue on what could be causing this? - Max