I have a webpage that's behind a restricted realm on a web server. To get by, people have to authenticate with their Samba Active Directory account. To accomplish this, I have always used the following configuration settings in my httpd.conf file for this site:
<Directory "${TOP_DIR}/public_html>
AuthName "My Company's Totally Protected Schtuff"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://dc01.example.com:389/dc=samdom,dc=example,dc=com?samaccountname"
AuthLDAPBindDN "CN=privileged user,CN=Users,DC=samdom,DC=example,DC=com"
AuthLDAPBindPassword "totallySw33tpa$$w0rd"
AuthUserFile /dev/null
Require valid-user
</Directory>
Well, my samba DCs all have SSL certificates now, granted to them by a CA. So I have changed my configuration like so:
<Directory "${TOP_DIR}/public_html>
AuthName "My Company's Totally Protected Schtuff"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldaps://dc01.example.com:636/dc=samdom,dc=example,dc=com?samaccountname"
AuthLDAPBindDN "CN=privileged user,CN=Users,DC=samdom,DC=example,DC=com"
AuthLDAPBindPassword "totallySw33tpa$$w0rd"
AuthUserFile /dev/null
Require valid-user
</Directory>
Most servers on my network are handling LDAPS well, but my Apache2 server is not liking it. Reloading the services goes just fine; no errors. I can even go to the site and I am presented with a username and password prompt, which appears to work if I enter credentials correctly. But, instead of the beautiful web page I am expecting to see, I see this message:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at webmaster@example.com to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
Apache/2.4.18 (Ubuntu) Server at restricted.example.com Port 443
A visit to my error logs tells me nothing. Can anyone with masterful skills on LDAPS in Apache2 provide any insight? I'll settle for not-masterful-skills, as long as it works.
Our LAMP servers need to trust the Certificate Authority which issued my SSL certificates that live on my Samba domain controllers in order for the page behind the protected realm to load. I didn't realize that 1) anything other than HTTPS mattered for that (in retrospect... duh) and 2) that my CA wasn't already trusted by default.
In the case of a Samba Domain Controller, there's a file your Samba administrator (who might just be you, as it was for me... not you, me) installed so that LDAPS would work. It ends with a .pem extension and it's for the certificate authority, so you may have named it with a "ca" if you were a pro. On my Ubuntu Samba machines, it lives at /var/lib/samba/private/tls/, but another common location for these files is /usr/local/samba/private/tls/. In this example, the name of my CA pem certificate is server.ca-bundle.pem.
Well I copied that server.ca-bundle.pem to my LAMP server's /usr/local/share/ca-certificates/ folder. (By default, there was nothing there.) I then changed it's extension from .pem to .crt (as in, server.ca-bundle.crt). As a side note, I have three domain controllers running Samba 4.7.6, but they all got their certificates from the same authority (in my case, Comodo), so I only needed a server.ca-bundle.pem from one of them.
Next, I ran update-ca-certificates (I'm doing all this as root, so you know). This generates a new file at /etc/ssl/certs/ca-certificates.crt, which I understand contains all the trusted authorities.
The following command, which is useful for testing secure connections, gave me no errors:
openssl s_client -connect dc01.samdom.mycompany.com:636 -CApath /etc/ssl/certs
Lots of output, but everything looked good. Then I tried my config as I did in my earlier post, reloaded Apache2 and, from a client machine, I was able to see the page behind the protected realm. Problem solved!