problems after upgrade with apache2 and ldap authentication

Tom Lynch tlynch at primate.wisc.edu
Tue Feb 3 22:23:49 CET 2015


Unfortunately, I am still having problems with this. Here is what my error_log says:

[Mon Feb 02 17:01:51 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Mon Feb 02 17:01:51 2015] [info] LDAP: SSL support unavailable: LDAP: SSL/TLS ldapssl_client_init() function not supported by this Netscape/Mozilla/Solaris SDK. Certificate authority file not set

What exactly is this telling me - that SSL support is unavailable even though the previous line show that the APR is built with openLDAP SDK? Or is it not supported because there is a problem with my trusted certificate file?

I’ve tested my trusted certificate using openssl:
# /opt/csw/bin/openssl verify ssl/crt/ldapservr.crt
ssl/crt/retronight.crt: C = US, postalCode = 53706, ST = WI, L = Madison, street = 1210 West Dayton Street, O = University of Wisconsin-Madison, OU = OCIS, CN = retronight.primate.wisc.edu
error 20 at 0 depth lookup:unable to get local issuer certificate

Is this the cause of the “Certificate authority file not set”?
When I query the openldap server I get “self signed certificate in the certificate chain” is this the problem, see below.? Is there a way to append the chains together into a LDAPTrustedGlobalcert file that will work? I’ve tried verifying the three certificates with openssl but can only get “Ok” if I put a “untrusted” after the first file, i.e. /opt/csw/bin/openssl verify -CAfile ssl/crt/incommonroot.crt -untrusted ssl/crt/intermediate.crt ssl/crt/ldapserver.crt.


# /opt/csw/bin/openssl s_client -connect retronight.primate.wisc.edu:636 -showcerts
CONNECTED(00000004)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=retronight.primate.wisc.edu
   i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgIQY++XbIx0xIZZ5TcOG+AZXzANBgkqhkiG9w0BAQUFADBR
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNv
bW1vbjEbMBkGA1UEAxMSSW5Db21tb24gU2VydmVyIENBMB4XDTEyMDMwMjAwMDAw
MFoXDTE1MDMwMjIzNTk1OVowgb0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwU1Mzcw
NjELMAkGA1UECBMCV0kxEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAkTFzEyMTAg
V2VzdCBEYXl0b24gU3RyZWV0MSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv
bnNpbi1NYWRpc29uMQ0wCwYDVQQLEwRPQ0lTMSQwIgYDVQQDExtyZXRyb25pZ2h0
LnByaW1hdGUud2lzYy5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDsJ5xSSAUzPJdlfPzGsmDmEOWy1AGtLL64hZ8e+VRCMaBNvceS4LpIQYPo3liW
WJPQEnkgGBMiRCvBjdFKq+eibgzBGKMOsB1kKeDluZmDiwVN6P2mi17JTNdMfU3u
Wc3XKDOfyVDwYUJ3q08dNIEYfbFF/P+Dg4B7DO/H+oxehB4i9ekT/5ogxItnI9qJ
2zykA1oi33m6uACP3kdzfTD5jHMbckO7Y6VAYlVcRSaSh5kTFFaUdf0vAXb8HekJ
5dZ3CX22A+R7prEPvjo8WfD+KHgfSKReQ3YyzYF55W8pIdhfjD9f7EK4EpJtfkZa
N3XcRlH2cGa0Wmcizd65HdbvAgMBAAGjggG4MIIBtDAfBgNVHSMEGDAWgBRIT1r6
L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4EFgQUdFTMywqiwNZIPtyl8LCK9N52pSAw
DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMF0GA1UdIARWMFQwUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYB
BQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkv
Y3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2NybC5pbmNvbW1v
bi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsG
AQUFBzAChi1odHRwOi8vY2VydC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmluY29tbW9uLm9yZzAmBgNV
HREEHzAdghtyZXRyb25pZ2h0LnByaW1hdGUud2lzYy5lZHUwDQYJKoZIhvcNAQEF
BQADggEBACsoJOY0HT1Bebm44nKqXx8OnQPD3cF5IOlhkFDQMUBmxnmkcfgf1j/5
gs5X1Ypqw/u+3RVNu+0vbor0huSx4MkBZ3uGf1bZPA8bO7u5KbodwDvgprxi+Z7S
Y3Xsgvj6BbT/g6wR0zU72D3Dg6JRdgpgvgU3lZv05b2z0e1b3UQv5fPLnLDFYcLh
/Wtm/QD7ojySboxPeD6zfgV4EkyQjqHGAMA1bay2BedXFKNn6AKUwgNS1UCbb1qp
8h1XppOriYbI/T7WMlWr3iOLjsx4LNMBdxh6gVeeegFZ9fuRMVci9qDXmdNAVnnz
O8lwWMhXixea0YABDYhjLP4dfAOME2A=
-----END CERTIFICATE-----
 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D
b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp
4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB
+xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U
4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3
/+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ
iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz
MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6
L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB
/wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz
BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1
c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o
dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI
KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF
BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G
f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by
UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358
xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1
kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ
FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M=
-----END CERTIFICATE-----
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=retronight.primate.wisc.edu
issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA
---
No client certificate CA names sent
…
DONE



> On Jan 31, 2015, at 7:51 AM, Tom Lynch <tlynch at primate.wisc.edu> wrote:
> 
> Dago,
> 
> Thanks for the response. The paths were correct but there was a misconfiguration in my httpd-ssl.conf file that caused the problem.
> 
> Tom
> On Jan 30, 2015, at 11:01 AM, Dagobert Michelsen <dam at opencsw.org <mailto:dam at opencsw.org>> wrote:
> 
>> Hi Tom,
>> 
>>> Am 30.01.2015 um 17:52 schrieb Tom Lynch <tlynch at primate.wisc.edu <mailto:tlynch at primate.wisc.edu>>:
>>> 
>>> After upgrading Solaris and opencsw, Apache2 no longer is able to authenticate against my openldap server. I get:
>>> 
>>> [Fri Jan 30 09:19:34 2015] [info] [client 192.168.0.21] [5973] auth_ldap authenticate: user authentication failed; URI /staff [LDAP: SSL/TLS is not supported by this version of the Netscape/Mozilla/Solaris SDK][Can't contact LDAP server]
>>> 
>>> I configured the site several years ago so am a little foggy on what I originally did to get it to work. Not sure where to go next.
>>> 
>>> I’m using the csw apache2 build, shouldn’t it be using the correct SDK, apache apr is installed, or is there something I’m missing?
>> 
>> I guess you have to revise your httpd.conf, the LDAP authentication and especially OpenSSL has changed
>> considerably in the last years. Look for mod_ldap in httpd.conf and see if all pathes still match.
>> 
>> 
>> Best regards
>> 
>>  — Dago
>> 
>> -- 
>> "You don't become great by trying to be great, you become great by wanting to do something,
>> and then doing it so hard that you become great in the process." - xkcd #896
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opencsw.org/pipermail/users/attachments/20150203/595f9780/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2877 bytes
Desc: not available
URL: <http://lists.opencsw.org/pipermail/users/attachments/20150203/595f9780/attachment.p7s>


More information about the users mailing list