Apache 2.2 mod_ldap refusing to work over SSL/TLS (solved)

[Maxim Khitrov]

On Thu, Nov 19, 2009 at 11:33 AM, Maxim Khitrov <mkhitrov at gmail.com> wrote:
> Hello all,
>
> Wasted many hours on this and am no closer to a solution. I'm trying
> to get apache 2.2 on FreeBSD 7.2 to authenticate against our active
> directory (Windows 2003).
>
> The current status is that authentication works without problems when
> SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections
> to the server and run queries using the ldapsearch tool. Server
> certificate verification works without any problems.
>
> The relevant portions of ldap.conf and httpd.conf are identical, so if
> I can use SSL and TLS with ldapsearch, there is no reason why it
> shouldn't be working from apache. Just to be on the safe side, I've
> turned off server certificate verification with 'LDAPVerifyServerCert
> Off' directive.
>
> So... Unencrypted authentication works, SSL authentication results in
> "[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and
> TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect
> error]." I had nothing else to go on, so I decided to capture the
> packets that are being sent between apache and active directory
> servers. I then compared this packet capture with what ldapsearch does
> (both using TLS).
>
> In summary, ldapsearch and apache send an identical
> LDAP_SERVER_START_TLS_OID command. In both cases, the server responds
> with an identical "Result: Status: Success, MatchedDN: NULL,
> ErrorMessage: NULL" packet. But while ldapsearch then goes on to the
> certificate and key exchange phase, apache responds with
> "OperationHeader: Unbind Request, 2(0x2)" and terminates the
> connection.
>
> As far as I can tell, it doesn't even get to the certificate
> verification phase even though the STARTTLS command is successful.
> Anyone have a clue on what could be causing this?
>
> - Max
>

I love the simplest of problems that takes 12 hours to solve... It was
my mistake and a really dump one, but apache and openldap sure don't
make it easy to figure this out.

The next step after packet captures was to start digging through
source. I finally ended up in tls_o.c, which is part of OpenLDAP. The
whole problem had to do with the fact that the CA certificate I
specified was in a directory readable only by root. That would
certainly explain why ldapsearch worked without problems.

Unfortunately, the certificate is loaded just prior to establishing an
SSL or TLS connection. While one would expect an error for this
condition to be raised when apache is first started (basic validation
of LDAPTrustedGlobalCert directive), it actually manifests itself as a
cryptic "Connect error" message during authentication.

- Max