Project

General

Profile

LDAPS with Lighty

Added by drriptide almost 15 years ago

I'm trying to get lighty up and running to authenticate with a LDAP server running over SSL (port 636). I am using Debian 5.0 and latest lighty on stable (version 1.4.19). I am using a certificate that I signed myself as a CA and that is referenced below. I have my auth_mod setup as follows:

auth.backend                 = "ldap" 
# auth.backend.plain.userfile  = "lighttpd.user" 
# auth.backend.plain.groupfile = "lighttpd.group" 

auth.backend.ldap.hostname   = "example.com:636" 
auth.backend.ldap.base-dn    = "dc=example,dc=com" 
auth.backend.ldap.filter     = "(uid=$)" 
auth.backend.ldap.starttls   = "enable" 
auth.backend.ldap.ca-file    = "/etc/ssl/ca/cacert.pem" 
auth.backend.ldap.bind-dn    = "cn=lighttpd,ou=services,dc=example,dc=com" 
auth.backend.ldap.bind-pw    = "secret" 
auth.backend.ldap.allow-empty-pw = "disable" 

$HTTP["url"] =~ "^/wiki/" {
auth.require                 = ( "" =>
                                  (
                                  "method"  => "basic",
                                  "realm"   => "Protected Directory",
                                  "require" => "valid-user" 
                                  )
                                )

I added the port number in the URL above because lighttpd was not even connecting to the LDAP server without it.

In the error log of lighttpd, I have the following segment saying that startTLS failed because it can't connect to the LDAP server: (These errors pop up after I try to login in browser)

2010-01-23 15:56:12: (response.c.212) -- splitting Request-URI
2010-01-23 15:56:12: (response.c.213) Request-URI  :  /wiki/
2010-01-23 15:56:12: (response.c.214) URI-scheme   :  http
2010-01-23 15:56:12: (response.c.215) URI-authority:  example.com
2010-01-23 15:56:12: (response.c.216) URI-path     :  /wiki/
2010-01-23 15:56:12: (response.c.217) URI-query    :
2010-01-23 15:56:12: (response.c.245) -- sanatising URI
2010-01-23 15:56:12: (response.c.246) URI-path     :  /wiki/
2010-01-23 15:56:12: (mod_access.c.135) -- mod_access_uri_handler called
2010-01-23 15:56:12: (mod_auth.c.572) ldap startTLS failed: Can't contact LDAP server
2010-01-23 15:56:12: (http_auth.c.872) password doesn't match for  /wiki/ josh , IP: ::ffff:192.168.1.10

I can see that it is actually talking to the LDAP server (with the above 636 port number) because there is a failure message in the LDAP debugging. Without the 636 in the hostname though, I don't get any error messages in the LDAP which I assume means it isn't making the connection.

TLS: can't accept: A record packet with illegal version was received..
connection_read(15): TLS accept failure error=-1 id=41, closing
connection_closing: readying conn=41 sd=15 for close
connection_close: conn=41 sd=15
daemon: removing 15
daemon: activity on 1 descriptor
daemon: activity on:
conn=41 fd=15 closed (TLS negotiation failure)

From the LDAP log, it looks like I have something misconfigured with how lighttpd passes the TLS for login. I have also checked with SSL dump and it looks like there is a TCP connection, but not certificates or TLS getting passed.

Anyone have any ideas or ran into a similar issue getting lighttpd communicating with a LDAP server running SSL?


Replies (4)

RE: LDAPS with Lighty - Added by jason_f almost 15 years ago

I'm having the same problem.
If I contact my ldap server on 389 and have enabled tls in lighttpd, I'm able to connect. The certificate exchange happens and the connection is encrypted.
adding :636 to the end of my hostname, and I get the 'can't contact ldap server' error message as well.
I've tried disabling the enable tls option in the config, but this also doesnt work. AFAIK tls is only used to encrypt connections on 389. When using ldaps on 636, ssl should be used instead of tls. I'm wondering if this is the reason for tls to fail on 636..
I'm guessing your ldap server isnt setup for tls, or doesnt allow connections on 389, but this doesnt help either of us in getting ldaps working on 636. =)

RE: LDAPS with Lighty - Added by kace over 13 years ago

Any news on this front? I'm having the same problem on version 1.4.28. I'm trying to auth. against a MS Active Directory LDAP server. When I go for port 389 I get the slightly different error: "(mod_auth.c.587) ldap startTLS failed: Connect error"

On 636, though, same error: "(mod_auth.c.587) ldap startTLS failed: Can't contact LDAP server". ... Any ideas would be much appreciated. I may have to go with another server if I can't resolve this. :(

I'm not an LDAP expert, but from what I've read 636 is not the right port to use anymore. In LDAP protocol v3 you're supposed to 389 + startTLS. So, I wonder if this is a case of MS AD (and maybe others) implementing the protocols badly and lighty doing it correctly and users getting stuck in the middle. If this is the issue some sort of new option to work with the incorrect implementations would be a reasonable resolution!

(Jason_f, I wondering why you want to connect on 636 anyway if you were able to connect on 389 and TLS worked and it was encrypted?)

RE: LDAPS with Lighty - Added by kace over 13 years ago

Doh! Looks like this is being worked on!

http://redmine.lighttpd.net/issues/2294

RE: LDAPS with Lighty - Added by yenn almost 13 years ago

I ran into this problem too, because I had to authenticate users against LDAP using port 636 which isn't under our control. I even upgraded lighty (1.4.28) to 1.4.30, but nothing changed. The trick is don't specify any port, lighty will handle ports by itself.
So change this line:

auth.backend.ldap.hostname   = "example.com:636" 

To:
auth.backend.ldap.hostname   = "example.com" 

Now it works like a charm :~)

    (1-4/4)