Apache 2.4 mod_ldap does not appear to support SNI for authentication against LDAPS servers

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.4 mod_ldap does not appear to support SNI for authentication against LDAPS servers

James Stocks-2
We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 web server.  We are using the Debian 10 Apache2 package, version 2.4.38.  Our authentication provider is G-Suite, the LDAP endpoint is ldap.google.com.

Apache connects to ldap.google.com, however it does not appear to successfully negotiate a TLS connection.  As a workaround, we have set up stunnel4 to handle the TLS session and configured Apache to use stunnel.  Apache is able to successfully authenticate using plain LDAP through the TLS tunnel.  We have also successfully connected to the LDAP endpoint using ldapsearch.

This is the relevant part of our apache config:

<Location />
AuthLDAPURL "<a href="ldaps://ldap.google.com:636/ou=Users,dc=yes,dc=com?uid?sub?(objectClass=*)" class="">ldaps://ldap.google.com:636/ou=Users,dc=yes,dc=com?uid?sub?(objectClass=*)"
                LDAPTrustedClientCert CERT_BASE64 "/etc/apache2/ssl/Google_xxxx.crt"
                LDAPTrustedClientCert KEY_BASE64 "/etc/apache2/ssl/Google_xxxx.key"
                AuthLDAPBindDN 'someuser'
                AuthLDAPBindPassword 'apassword’
</Location>

From examining packet captures of the TLS sessions for both stunnel and Apache, the connection from Apache to the LDAP server does not seem to have support for SNI.  According to the Google documentation, SNI support is mandatory in order to use the LDAP service.[1]. Attached are screenshots showing the TLS packet captures for stunnel and Apache.  

Can anyone tell me whether SNI support is available in mod_ldap and if so how do I activate it?

Regards,


Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.4 mod_ldap does not appear to support SNI for authentication against LDAPS servers

Konstantin Kolinko
пт, 12 июн. 2020 г. в 17:14, James Stocks <[hidden email]>:
>
> We are attempting to use mod_ldap and mod_authnz_ldap to secure our apache2 web server.  We are using the Debian 10 Apache2 package, version 2.4.38.  Our authentication provider is G-Suite, the LDAP endpoint is ldap.google.com.
>
> Apache connects to ldap.google.com, however it does not appear to successfully negotiate a TLS connection.  As a workaround, we have set up stunnel4 to handle the TLS session and configured Apache to use stunnel.  Apache is able to successfully authenticate using plain LDAP through the TLS tunnel.  We have also successfully connected to the LDAP endpoint using ldapsearch.
>
[...]
>
> Can anyone tell me whether SNI support is available in mod_ldap and if so how do I activate it?
>

Just sharing a few pointers that I found:

1. Documentation for mod_ldap says that "SSL/TLS support is dependent
on which LDAP toolkit has been linked to APR. As of this writing,
APR-util supports: ..." and lists 5 different implementations.

http://httpd.apache.org/docs/2.4/mod/mod_ldap.html

2. Assuming that the implementation that you are dealing with is
OpenLDAP, a quick search finds the following item in their Bugzilla
(and on their mailing list):

https://www.openldap.org/lists/openldap-bugs/202002/msg00421.html
https://bugs.openldap.org/show_bug.cgi?id=9176
"(ITS#9176) libldap support for TLSv1.3 Encrypted SNI"

It was implemented a month ago, but apparently it is targeted for the
text major version (2.5.0) and is not part of the current 2.4.50
release of OpenLDAP.

https://git.openldap.org/openldap/openldap/-/commit/5c0efb9ce83db383631ce79e8f246d73c33b9ab3
https://git.openldap.org/openldap/openldap/-/commit/e96f90e21229f9d83129db0da017e0fe5a0a27c8

Thus I guess that the answer to your question is "not yet".

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]