I have a webpage that's behind a restricted realm on a web server. To get by, people have to authenticate with their Samba Active Directory account. To accomplish this, I have always used the following configuration settings in my httpd.conf file for this site:
<Directory "${TOP_DIR}/public_html>
AuthName "My Company's Totally Protected Schtuff"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc01.example.com:389/dc=samdom,dc=example,dc=com?samaccountname"
AuthLDAPBindDN "CN=privileged user,CN=Users,DC=samdom,DC=example,DC=com"
AuthLDAPBindPassword "totallySw33tpa$$w0rd"
AuthUserFile /dev/null
Require valid-user
</Directory>
Well, my samba DCs all have SSL certificates now, granted to them by a CA. So I have changed my configuration like so:
<Directory "${TOP_DIR}/public_html>
AuthName "My Company's Totally Protected Schtuff"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://dc01.example.com:636/dc=samdom,dc=example,dc=com?samaccountname"
AuthLDAPBindDN "CN=privileged user,CN=Users,DC=samdom,DC=example,DC=com"
AuthLDAPBindPassword "totallySw33tpa$$w0rd"
AuthUserFile /dev/null
Require valid-user
</Directory>
Most servers on my network are handling LDAPS well, but my Apache2 server is not liking it. Reloading the services goes just fine; no errors. I can even go to the site and I am presented with a username and password prompt, which appears to work if I enter credentials correctly. But, instead of the beautiful web page I am expecting to see, I see this message:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at webmaster@example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Apache/2.4.18 (Ubuntu) Server at restricted.example.com Port 443
A visit to my error logs tells me nothing. Can anyone with masterful skills on LDAPS in Apache2 provide any insight? I'll settle for not-masterful-skills, as long as it works.
答案 0 :(得分:0)
我们的LAMP服务器需要信任颁发我的Samba域控制器上的SSL证书的证书颁发机构,以便加载受保护领域后面的页面。我没有意识到1)除了HTTPS之外的任何事情(回想起来......)和2)我的CA在默认情况下还没有被信任。
对于Samba域控制器,你的Samba管理员(可能只是你,因为它适合我......不是你,我)安装了一个文件,以便LDAPS可以工作。它以.pem扩展名结尾,并且是为证书颁发机构提供的,因此如果您是专业人士,则可能使用“ca”命名。在我的Ubuntu Samba机器上,它位于/var/lib/samba/private/tls/,但这些文件的另一个常见位置是/usr/local/samba/private/tls/。在此示例中,我的CA pem证书的名称为server.ca-bundle.pem。
我将server.ca-bundle.pem复制到我的LAMP服务器的/usr/local/share/ca-certificates/文件夹中。 (默认情况下,没有任何内容。)然后我将其扩展名从.pem更改为.crt(如server.ca-bundle.crt所示)。作为旁注,我有三个运行Samba 4.7.6的域控制器,但是它们都来自同一个权限(在我的例子中是Comodo),所以我只需要其中一个server.ca-bundle.pem。< / p>
接下来,我运行update-ca-certificates(我正在以root身份执行所有操作,所以你知道)。这会在/etc/ssl/certs/ca-certificates.crt生成一个新文件,我了解其中包含所有受信任的权限。
以下命令对测试安全连接很有用,但没有给出任何错误:
openssl s_client -connect dc01.samdom.mycompany.com:636 -CApath /etc/ssl/certs
很多输出,但一切都很好。然后我尝试了我的配置,就像我在之前的帖子中所做的那样,重新加载了Apache2,并且从客户端机器上,我能够看到受保护领域背后的页面。 问题解决了!