[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as a ldap->ldaps proxy for apache to AD

You didn't mention the OpenLDAP version, which is probably significant here. In older versions of OpenLDAP a single TLS context was used for slapd. In newer versions, there are separate contexts for slapd as a server vs slapd as a client (e.g. back-ldap). Try adding the equivalent TLS settings to slapd.conf.

Don Wood wrote:

I am having trouble setting up OpenLDAP as a ldap->ldaps proxy for
apache to AD authentication.  The proxy is running on debian sarge and
I am using the standard packages.

I can see Apache connecting to OpenLDAP, and OpenLDAP connecting to
the AD server, but it appears that there are errors in the bind phase
for the SSL connection.

When I run "slapd -d 16383" I get the below messages in the dump.

TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /O=RSA
Security Inc./CN=RSA Public Root CA
v1/emailAddress=rsakeonrootsign@rsasecurity.com, issuer: /L=ValiCert
Validation Network/O=ValiCert, Inc./OU=ValiCert Class 3 Policy
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
TLS certificate verification: Error, unable to get local issuer certificate

In slapd.conf I did not do any certificate configuration, as appache
will not be connecting with SSL.  OpenLDAP runs as root, so all of my
SSL configuration is in ~root/.ldaprc.  Am I understanding correctly
that this is how it should be done.  I have double-checked the paths
to the cert files, and they are all PEM encoded.  I also know the
files are valid because Apache is using them for server authentication
to the client.

Here are what I believe to be the applicable lines from my configuration.

database       ldap
suffix         "ou=people,dc=dir,dc=svc,dc=DOMAIN,dc=com"
uri            "ldaps://AD_SERVER.DOMAIN.com:636"

TLS_CACERT /opt/cert/SSLchain.pem
TLS_CERT /opt/cert/host.domain.com.crt
TLS_KEY /opt/cert/host.domain.com.key

Not sure what I'm missing, but I'm new to OpenLDAP so it could be
something basic.  (I have checked the man pages, other docs,  and
searched the mailing lists.)

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support