httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Lundberg <dennis.lundb...@mdh.se>
Subject Re: [users@httpd] Problems with mod_auth_ldap and tls/ldaps
Date Thu, 09 Oct 2003 06:35:10 GMT
Hi there

It is possible to do this. We have done this in a test environment on 
Solaris a while back. Now we are in the process of putting into 
production use. However we have run into trouble on the compile part. 
See my post from 2003-10-03 19:28.

When we succeded we used Netscape SDK 4.1. If I recall correctly you 
needed to create a certificate-file of sorts. You can do this by 
connecting to your LDAPS server with Netscape Navigator 4.x, on any 
client. Use a URL of ldaps://yourserver.com/ Then you copy the cert7.db 
file from that client to the server. I can't remember off hand exactly 
where to put it.

I'll get back when we have our server up and running.

Ken Bell wrote:
> Hi
> 
> I'm wondering if anyone has been successful yet at using mod_auth_ldap and
> either TLS or LDAPS.
> 
> I've compiled successfully and am able to use ldap (no TLS or LDAPS) to
> authenticate. Problem is, I must, by company directive, use ldaps or tls in
> the authentication phase.
> 
> I've added the two CA directives required by mod_ldap. On startup, apache
> recognizes that I'm trying to use ldaps and gives no errors. With plain
> LDAP, authentication is fine, but when I go to LDAPS, I get errors.
> 
> By turning the logging to debug, I get a message: "auth_ldap authenticate:
> user kbell authentication failed; URI /secret [LDAP: ldap_simple_bind_s()
> failed][Can't contact LDAP server]" 5 times.
> 
> There actually is an encrypted conversation taking place with my ldap
> server(s), but the packets are very small and contain no payload. Since they
> are encrypted, I can't see what is happening.
> 
> Any fresh ideas here? I've tried 4 different LDAP servers which I have used
> successfully with an Apache 1.3 installation and Rudedog's mod_auth_ldap
> with good success. We have upgraded our system and I really don't want to go
> back and don't want to use STunnel.
> 
> Any help would be appreciated.
> 
> Rgds,
> 
> Ken Bell
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

-- 
Dennis Lundberg, Utvecklingsledare, IT-avdelningen
e-post: dennis.lundberg@mdh.se
http://www.mdh.se/personal/VisaPerson?fornamn=Dennis&efternamn=Lundberg
tel: +46-(0)21-101516, fax: +46-(0)21-101636
Mälardalens högskola, Box 883, SE-72123 Västerås, SWEDEN


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message