httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brent Kearney <bre...@birs.pims.math.ca>
Subject [users@httpd] auth_ldap and StartTLS
Date Tue, 16 Dec 2003 18:53:28 GMT
Hello,

I'm running Apache2.0 2.0.48, compiled with:

--enable-ldap --enable-auth-ldap --enable-ssl --with-ssl=/opt/ssl --with-apr=/opt --with-apr-util=/opt

(plus other options). HTTPS works fine, however I can't seem to bind
to my directory server, OpenLDAP 2.1.23, using startls.  During the 
"./configure" stage of the apr-utils build, I noticed that it found
my ldap files, and also found that it supports startls.

There is mention in the Apache2 documentation about TLS, but it is
a little vague; there is no mention of how to specify the TLS_CERT
or KEY file, for example.  There is only the LDAPTrustedCA setting,
which I set to my RSA CA certificate that was used for all of my 
self-signed RSA certificates and keys.  With all other LDAP clients 
that connect using StartTLS, the CERT and KEY files need to be 
specified.  I am not using ldaps, only StartTLS.

I tried putting an .ldaprc file in apache2's home directory (required
for PHP's LDAP functions), but this didn't help auth_ldap.  Attempts
to bind to the server produce this error in slapd log:

Dec 16 10:43:31 myhost slapd[22311]: [ID 347666 local4.debug] conn=0 op=0 BIND dn="cn=LDAPhttp,ou=System,o=MYORG"
method=128
Dec 16 10:43:31 myhost slapd[22311]: [ID 217296 local4.debug] conn=0 op=0 RESULT tag=97 err=13
text=TLS confidentiality required

And this error in the apache error log:

[Tue Dec 16 10:43:38 2003] [warn] [client 198.161.29.182] [22256] auth_ldap authenticate:
user brentk authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Confidentiality
required]

Is TLS support still forthcoming in this module (I know its 
an experimental module), or is there some information that I'm 
missing?

Many thanks,

Brent



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message