TLS connection from Apache Web Server to LDAP 389 Directory Server
by Miroja from LinuxQuestions.org on (#5GXM9)
I am trying to setup a TLS connection from an Apache Web Server (Apache/2.4.6 (CentOS)) utilizing mod_ldap and mod_authnz_ldap to a LDAP 389 directory server (389-Directory/1.3.9.1 B2019.220.1155), however I am getting 500 Internal server error constantly.
Without an encrypted connection LDAP authentication works, with TLS it does not. Does anybody have an idea how to fix it?
I did the following so far to no avail:
Create certs
Code:# create request for CA cert
openssl req -newkey rsa:2048 -nodes -keyout "CA.key" -new -days 365 -subj "/CN=fake_CA_cert" -out "ca_signing.csr"
# self-sign the CA cert
openssl x509 -req -in "ca_signing.csr" -signkey "CA.key" -days 365 -out "CA.crt"
# issue cert request
openssl req -newkey rsa:2048 -keyout "ldap.host.sk.key" -new -out "ldap.host.sk.csr" -passin pass:ldap_pass -passout pass:ldap_pass -subj "/C=SK/ST=Slovakia/L=Bratislava/O=Company/OU=IT_team/CN=ldap.host.sk"
# sign the request with fake CA
openssl x509 -req -in "ldap.host.sk.csr" -CA "CA.crt" -CAkey "CA.key" -out "ldap.host.sk.crt" -CAcreateserialSetup LDAP.
Code:cat password.internal
ldap_pass
#setup cert_db
certutil -N -d /etc/dirsrv/slapd-vtrms/ -f "password.internal"
certutil -A -d /etc/dirsrv/slapd-vtrms/ -n "CA-Cert" -t "C,," -i "CA.crt"
certutil -A -d /etc/dirsrv/slapd-vtrms/ -n "Server-Cert" -t ",," -i "ldap.host.sk.crt"
#generate pkcs12 key for cert
openssl pkcs12 -export -out "server.pfx" -inkey "ldap.host.sk.key" -in "ldap.host.sk.crt" -certfile "CA.crt" -passout pass:ldap_pass -passin pass:ldap_pass
# add cert key to nss
pk12util -i "server.pfx" -d /etc/dirsrv/slapd-ldap_instance/ -W ldap_pass -K ldap_pass
echo "Internal (Software) Token:ldap_pass" > pin.txt
# encryption ldif
ldapmodify -a -x -D "cn=Directory Manager" -w xxxxx -H "ldap://ldap.host.sk:389" -f "encryption.ldif"
# restart LDAP instancie
systemctl restart "dirsrv@ldap_instance.service"encryption.ldif
Code:dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)
cn: RSA
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLSessionTimeout
nsSSLSessionTimeout: 0
-
replace: nsSSLClientAuth
nsSSLClientAuth: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
-
replace: sslVersionMin
sslVersionMin: TLS1.1
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
Generating DER certificate for the apache client
Code:#convert pfx to pem (Import Password + PEM pass phrase)
openssl pkcs12 -in server.pfx -out cert.pem
#convert pem to der
openssl x509 -outform der -in cert.pem -out cert.der
Setup client host Apache - Added modules
Code:LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Version without TLS - auth_ldap.conf (Apache)
Code:LDAPSharedCacheSize 500000
LDAPCacheEntries 20
LDAPCacheTTL 14400
<Location /ldap-status>
SetHandler ldap-status
</Location>
<Directory /html/htdocs>
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN uid=main_user,ou=ou_name,dc=dc_name,dc=sk
AuthLDAPBindPassword main_user_pass
AuthLDAPURL "ldap://ldap.host.sk/cn=cn_name,ou=ou_name,dc=dc_name,dc=sk?uid,attr1,attr2,attr3"
Require valid-user
</Directory>After entering the authentication data, I can see /html/htdocs/test.html
In LDAP access log appears an attempt to connect from IP, BIND, RESULT and SRCH of authentication user.
Version with TLS - auth_ldap.conf (Apache)
Code:LDAPSharedCacheSize 500000
LDAPCacheEntries 20
LDAPCacheTTL 14400
LDAPTrustedMode TLS
LDAPVerifyServerCert on
<Location /ldap-status>
SetHandler ldap-status
</Location>
<Directory /usr/nikesoft/html/htdocs>
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
LDAPTrustedClientCert CERT_DER /path/cert.der ldap_pass
AuthLDAPBindDN uid=main_user,ou=ou_name,dc=dc_name,dc=sk
AuthLDAPBindPassword main_user_pass
AuthLDAPURL "ldap://ldap.host.sk/cn=cn_name,ou=ou_name,dc=dc_name,dc=sk?uid,attr1,attr2,attr3"
Require valid-user
</Directory>After entering the authentication data, I get 500 Internal server error.
And there are no corresponding entries in the LDAP acces log.
On ldap.host.sk:
Code:netstat -tulpn | grep -e 636 -e 389
tcp6 0 0 :::636 :::* LISTEN 95607/ns-slapd
tcp6 0 0 :::389 :::* LISTEN 95607/ns-slapd
On client Apache host, ports(389,636) connection check via telnet, both are ok.
Without an encrypted connection LDAP authentication works, with TLS it does not. Does anybody have an idea how to fix it?
I did the following so far to no avail:
Create certs
Code:# create request for CA cert
openssl req -newkey rsa:2048 -nodes -keyout "CA.key" -new -days 365 -subj "/CN=fake_CA_cert" -out "ca_signing.csr"
# self-sign the CA cert
openssl x509 -req -in "ca_signing.csr" -signkey "CA.key" -days 365 -out "CA.crt"
# issue cert request
openssl req -newkey rsa:2048 -keyout "ldap.host.sk.key" -new -out "ldap.host.sk.csr" -passin pass:ldap_pass -passout pass:ldap_pass -subj "/C=SK/ST=Slovakia/L=Bratislava/O=Company/OU=IT_team/CN=ldap.host.sk"
# sign the request with fake CA
openssl x509 -req -in "ldap.host.sk.csr" -CA "CA.crt" -CAkey "CA.key" -out "ldap.host.sk.crt" -CAcreateserialSetup LDAP.
Code:cat password.internal
ldap_pass
#setup cert_db
certutil -N -d /etc/dirsrv/slapd-vtrms/ -f "password.internal"
certutil -A -d /etc/dirsrv/slapd-vtrms/ -n "CA-Cert" -t "C,," -i "CA.crt"
certutil -A -d /etc/dirsrv/slapd-vtrms/ -n "Server-Cert" -t ",," -i "ldap.host.sk.crt"
#generate pkcs12 key for cert
openssl pkcs12 -export -out "server.pfx" -inkey "ldap.host.sk.key" -in "ldap.host.sk.crt" -certfile "CA.crt" -passout pass:ldap_pass -passin pass:ldap_pass
# add cert key to nss
pk12util -i "server.pfx" -d /etc/dirsrv/slapd-ldap_instance/ -W ldap_pass -K ldap_pass
echo "Internal (Software) Token:ldap_pass" > pin.txt
# encryption ldif
ldapmodify -a -x -D "cn=Directory Manager" -w xxxxx -H "ldap://ldap.host.sk:389" -f "encryption.ldif"
# restart LDAP instancie
systemctl restart "dirsrv@ldap_instance.service"encryption.ldif
Code:dn: cn=RSA,cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionModule
nsSSLPersonalitySSL: Server-Cert
nsSSLActivation: on
nsSSLToken: internal (software)
cn: RSA
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSLSessionTimeout
nsSSLSessionTimeout: 0
-
replace: nsSSLClientAuth
nsSSLClientAuth: off
-
replace: nsSSL3
nsSSL3: off
-
replace: nsSSL2
nsSSL2: off
-
replace: sslVersionMin
sslVersionMin: TLS1.1
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
Generating DER certificate for the apache client
Code:#convert pfx to pem (Import Password + PEM pass phrase)
openssl pkcs12 -in server.pfx -out cert.pem
#convert pem to der
openssl x509 -outform der -in cert.pem -out cert.der
Setup client host Apache - Added modules
Code:LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Version without TLS - auth_ldap.conf (Apache)
Code:LDAPSharedCacheSize 500000
LDAPCacheEntries 20
LDAPCacheTTL 14400
<Location /ldap-status>
SetHandler ldap-status
</Location>
<Directory /html/htdocs>
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN uid=main_user,ou=ou_name,dc=dc_name,dc=sk
AuthLDAPBindPassword main_user_pass
AuthLDAPURL "ldap://ldap.host.sk/cn=cn_name,ou=ou_name,dc=dc_name,dc=sk?uid,attr1,attr2,attr3"
Require valid-user
</Directory>After entering the authentication data, I can see /html/htdocs/test.html
In LDAP access log appears an attempt to connect from IP, BIND, RESULT and SRCH of authentication user.
Version with TLS - auth_ldap.conf (Apache)
Code:LDAPSharedCacheSize 500000
LDAPCacheEntries 20
LDAPCacheTTL 14400
LDAPTrustedMode TLS
LDAPVerifyServerCert on
<Location /ldap-status>
SetHandler ldap-status
</Location>
<Directory /usr/nikesoft/html/htdocs>
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
LDAPTrustedClientCert CERT_DER /path/cert.der ldap_pass
AuthLDAPBindDN uid=main_user,ou=ou_name,dc=dc_name,dc=sk
AuthLDAPBindPassword main_user_pass
AuthLDAPURL "ldap://ldap.host.sk/cn=cn_name,ou=ou_name,dc=dc_name,dc=sk?uid,attr1,attr2,attr3"
Require valid-user
</Directory>After entering the authentication data, I get 500 Internal server error.
And there are no corresponding entries in the LDAP acces log.
On ldap.host.sk:
Code:netstat -tulpn | grep -e 636 -e 389
tcp6 0 0 :::636 :::* LISTEN 95607/ns-slapd
tcp6 0 0 :::389 :::* LISTEN 95607/ns-slapd
On client Apache host, ports(389,636) connection check via telnet, both are ok.