I am able to connect with ldp via port 389. I have run netstat/netdiag/and dcdiag with no issues.
However, when I try to connect using LDP via 636 and using an IP address as the server, I receive the following error:
ld = ldap_open("M.Y.I.P", 636);
Error <0x51>: Fail to connect to M.Y.I.P.
This says that is by design
http://support.microsoft.com/kb/814662
This indicates the problem is likely name resolution:
http://forum.java.sun.com/thread.jspa?threadID=645000&messageID=3824603
That works from the server using windowsdomain.domain.org. Still cannot connect via remote client.
This link:
http://www.pgina.org/?page_id=6
indicates that if you can connect via 389 but not 636 then you have a certificate problem.
The server event logs showed:
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36869
Date: 7/16/2007
Time: 7:31:05 PM
User: N/A
Computer: SERVER
Description:
The SSL client credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
I reinstalled the certificate from server/certsrv and still have the same unable to connect, but now i no longer get any event log messages.
THis post
http://www.eggheadcafe.com/aspnet_answers/windowsserveractive_directory/May2006/post26947443.asp
Suggests looking in the client machine event log, duh...
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36884
Date: 7/16/2007
Time: 8:03:44 PM
User: N/A
Computer: ME
Description:
The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is windowsdomain.domain.org. The SSL connection request has failed. The attached data contains the server certificate.
This tells you how to enable events in schannel:
http://support.microsoft.com/?id=260729
However, none of this explains how to fix the actual problem. How do you verify/change the name on the certificate that the server issues? it seems that ldp wants it to be the same fqdn that you use to address the server. however, that cannot be how mine is named, as i get the same error message when i tell the remote ldp client to use windowsdomain.domain.org.
Got it - from a remote machine, you have to use servername.windowsdomain.domain.org aka fqdn - dimwit.
This is ugly, as that is not a dns A record i want floating around out there. How to change the msft certificate services to issue a friendlier name, e.g. ldap.domain.org....?
This says you cannot change the name:
http://articles.techrepublic.com.com/5100-6345_11-5643908.html
Monday, July 16, 2007
How to install SSL cert on Dreamhost for use in Drupal ldapauth against Active Directory
THIS POST IS A DEAD END - It contains links and attempts at getting Drupal's ldap integration module to work against a W2K domain controller for active directory. It appears W2K does not support TLS and therefore, I need to create a separate post for how to get the drupal module to use ldaps instead of StartTLS.
Following up on the prior sequence of posts, this will document the learning/attempt path to get my cert installed on my dreamhost account that will enable drupal ldapauth to use secure communication with our Active Directory server.
This shows how to use openSSL to generate a self-signed certficate. Not what I need right now, but if I end up having to abandon using the MSFT self-signed, I'll come back to this.
http://www.neilstuff.com/apache/apache2-ssl-windows.htm
This looks promising... googled "ldapauth client SSL certificate active directory"
http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html:
Ok, that got me through exporting the cer file from Microsofts Certificate Authority. FTP's the file up to my dreamhost account, and ran the steps to create a .pem file. On to getting ldapauth to see and use that file...
Not sure where to set the path for the pem file in the ldapauth module setup. Within ldapinterface.php there is a secretKey = null attribute that goes along with tls setting on the next line. However, it may not go here at all and maybe part of the openldap or openssl configuration.
Here's the current error message when I check "Start TLS" in the ldap integration settings in drupal administration:
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Decoding error in /home/snip/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 128.
My php install directory is php5, which contains an etc folder which contains an openldap folder which contains an ldap.conf file which is where I believe the cert reference needs to exist. Err, maybe not. The script above indicates i need to create an ldaprc file and reference the pem file there.
http://edoceo.com/liber/network-openldap.php
The docs are not consistent on what the ldaprc file switch contains.
muquit says:
Apache needs to know where to find the ldaprc... snipped from muquit:
Before starting apache set a env variable (probably in apachectl) like:
How does that work on Dreamhost??
Do i put this in .htaccess?
The very last post in this thread indicates that TLS is NOT supported by Windows 2000 domain controllers!!!! If that's the case, where do i go from here? How do I get ldapauth module to use ssl instead of tls?
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html
http://forum.java.sun.com/thread.jspa?threadID=592611&tstart=240
And the final word??
http://support.microsoft.com/kb/321051
"Windows 2000 does not support the Start TLS extended-request functionality"
So do I need to hack the ldapauth module in drupal to use ldaps? will this automatically use ssl and the local cert instead of startTLS?
http://drupal.org/node/75645
Additional References
http://www.openldap.org/lists/openldap-software/200403/msg00034.html
http://www.thetipspool.com/freenode/ldap/27Apr2007/3
This one has a good thread about getting apache to see the ldap cert file.
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html
Following up on the prior sequence of posts, this will document the learning/attempt path to get my cert installed on my dreamhost account that will enable drupal ldapauth to use secure communication with our Active Directory server.
This shows how to use openSSL to generate a self-signed certficate. Not what I need right now, but if I end up having to abandon using the MSFT self-signed, I'll come back to this.
http://www.neilstuff.com/apache/apache2-ssl-windows.htm
This looks promising... googled "ldapauth client SSL certificate active directory"
http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html:
Ok, that got me through exporting the cer file from Microsofts Certificate Authority. FTP's the file up to my dreamhost account, and ran the steps to create a .pem file. On to getting ldapauth to see and use that file...
Not sure where to set the path for the pem file in the ldapauth module setup. Within ldapinterface.php there is a secretKey = null attribute that goes along with tls setting on the next line. However, it may not go here at all and maybe part of the openldap or openssl configuration.
Here's the current error message when I check "Start TLS" in the ldap integration settings in drupal administration:
warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Decoding error in /home/snip/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 128.
My php install directory is php5, which contains an etc folder which contains an openldap folder which contains an ldap.conf file which is where I believe the cert reference needs to exist. Err, maybe not. The script above indicates i need to create an ldaprc file and reference the pem file there.
http://edoceo.com/liber/network-openldap.php
The docs are not consistent on what the ldaprc file switch contains.
muquit says:
TLS_CACERT /usr/local/certs/cacert.pem
TLS_REQCERT allow
Which I changed to:
TLS_CACERT $HOME/.ssl/[domain].pem
TLS_REQCERT allowApache needs to know where to find the ldaprc... snipped from muquit:
Before starting apache set a env variable (probably in apachectl) like:
LDAPCONF=/path_of/ldaprc
export LDAPCONFHow does that work on Dreamhost??
Do i put this in .htaccess?
The very last post in this thread indicates that TLS is NOT supported by Windows 2000 domain controllers!!!! If that's the case, where do i go from here? How do I get ldapauth module to use ssl instead of tls?
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html
http://forum.java.sun.com/thread.jspa?threadID=592611&tstart=240
And the final word??
http://support.microsoft.com/kb/321051
"Windows 2000 does not support the Start TLS extended-request functionality"
So do I need to hack the ldapauth module in drupal to use ldaps? will this automatically use ssl and the local cert instead of startTLS?
http://drupal.org/node/75645
Additional References
http://www.openldap.org/lists/openldap-software/200403/msg00034.html
http://www.thetipspool.com/freenode/ldap/27Apr2007/3
This one has a good thread about getting apache to see the ldap cert file.
http://forums.gentoo.org/viewtopic-t-295330-highlight-modauthldap+ssl.html
Wednesday, June 27, 2007
Access is denied for all accounts after migrating Drupal website
We recently migrated the site from internal hosting to external. All users, including the first user with super admin rights get access is denied on all administrative actions.
It looks like its a php version problem, where the new host was running 5 and the drupal site version was 4.6.1....
Yep, that was it.
It looks like its a php version problem, where the new host was running 5 and the drupal site version was 4.6.1....
Yep, that was it.
Saturday, June 23, 2007
Dreamhost Drupal Sub-directory with clean urls
Trying to consolidate hosts and need to have multiple drupal installations under an existing drupal installation. Clean urls were not working by default - they threw 404 errors on the parent drupal site. The sites themselves worked fine, just not clean urls.
Also interesting was that .htaccess file did not exist in the root of the subdir site - i'm not sure why - maybe it gets created when cleanurls are turned on in drupal 5.
So, i edited the parent .htaccess file to uncomment RewriteBase /[subdir desired], ftp'd it up to the subdir root installation and wala, clean urls now work in Dreamhost subdir installed drupal 5 apps.
Also interesting was that .htaccess file did not exist in the root of the subdir site - i'm not sure why - maybe it gets created when cleanurls are turned on in drupal 5.
So, i edited the parent .htaccess file to uncomment RewriteBase /[subdir desired], ftp'd it up to the subdir root installation and wala, clean urls now work in Dreamhost subdir installed drupal 5 apps.
Securing Active Directory for Drupal LDAP access
I don't yet have the ldap authentication working on SSL or TLS, as i need to learn how to install the certificate root and certificate on the drupal server. but that will be a different post.
First, I need to tighten down security on the AD. I want the binddn reader and updater accounts to have no rights beyond that specific purpose. You would think that would be a very easy thing to specify... ehem.
Looking here (don't you love msft's refusal to adopt clean urls?):
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.
http://technet2.microsoft.com/WindowsServer/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx
Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.
http://technet2.microsoft.com/WindowsServer/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx
Promote a secure operating environment by running your computer without administrative credentials except when required.
http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx
this is crap - user rights assignment on AD is useless for my purpose. there are far too few rights defined, and they seem way to blunt.
found a new way-
by default, any authenticated account can scan the directory. attempting to use a plain user account as the reader account with no additional rights.... it seems to work
updater account settings:
create a new security group and put the updater account in it
right click domain in ad users and computers
choose delegate control
add the group that contains the updater account
create a custom task to delegate
only the following objects in the folder/User objects
Read all properties/Write E-Mail Address (Others)/Change Password/Reset Password
how do you edit/update those delegated rights? i've been just rerunning the wizard, hoping its smart enough to delete the prior policy.
Testing...
Unfortunately, the following error is generated when an attempt is made to modify the password. I'm assuming this is because we're not yet running TLS:
warning: ldap_modify() [function.ldap-modify]: Modify: No such attribute in /home/.martin/icsadmin/events.icstars.org/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 226.
Need to define some policies about locking out accounts after a number of password attempts are made.
First, I need to tighten down security on the AD. I want the binddn reader and updater accounts to have no rights beyond that specific purpose. You would think that would be a very easy thing to specify... ehem.
Looking here (don't you love msft's refusal to adopt clean urls?):
Assign user rights to new security groups so you can specifically define a user's administrative role in the domain.
http://technet2.microsoft.com/WindowsServer/en/library/95107162-47eb-4891-832f-0c0b15b7c8581033.mspx
Enforce account lockouts on user accounts and decrease the possibility of an attacker compromising your domain through repeated logon attempts.
http://technet2.microsoft.com/WindowsServer/en/library/91a98c38-38c5-49dc-83bf-e69d8e1dbbfa1033.mspx
Promote a secure operating environment by running your computer without administrative credentials except when required.
http://technet2.microsoft.com/WindowsServer/en/library/8782f8ab-9538-4111-8a68-7bfd130c21c01033.mspx
this is crap - user rights assignment on AD is useless for my purpose. there are far too few rights defined, and they seem way to blunt.
found a new way-
by default, any authenticated account can scan the directory. attempting to use a plain user account as the reader account with no additional rights.... it seems to work
updater account settings:
create a new security group and put the updater account in it
right click domain in ad users and computers
choose delegate control
add the group that contains the updater account
create a custom task to delegate
only the following objects in the folder/User objects
Read all properties/Write E-Mail Address (Others)/Change Password/Reset Password
how do you edit/update those delegated rights? i've been just rerunning the wizard, hoping its smart enough to delete the prior policy.
Testing...
Unfortunately, the following error is generated when an attempt is made to modify the password. I'm assuming this is because we're not yet running TLS:
warning: ldap_modify() [function.ldap-modify]: Modify: No such attribute in /home/.martin/icsadmin/events.icstars.org/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 226.
Need to define some policies about locking out accounts after a number of password attempts are made.
Monday, June 18, 2007
phpSupport
Found this today and plan to incorporate into our environment thanks to:
http://aplawrence.com/Reviews/bghelpdesk.html
http://phpsupport.jynx.net/?a=inuse
http://aplawrence.com/Reviews/bghelpdesk.html
http://phpsupport.jynx.net/?a=inuse
Subscribe to:
Posts (Atom)