httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stuart Kendrick <skend...@fhcrc.org>
Subject [users@httpd] ldap to ldaps under httpd-2.2
Date Mon, 25 Sep 2006 22:56:00 GMT
hi,

i'm trying to upgrade my ldap authentication to ldaps

i have both ldap and ldaps authentication working under apache 2.0 ... 
but under apache 2.2, i only have plain ldap working

i'm looking for tips on additional trouble-shooting methods i could try

here's my apache 2.0 config.  this is the one which works, in both ldap 
and ldaps mode.  notice the use of the non-standard port
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem
LDAPTrustedCAType BASE64_FILE
[...]
<Directory "/srv/www/htdocs/soma/">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 10.1.
   SSLRequireSSL
   AuthName Soma
   AuthType Basic
   AuthLDAPBindDN "foo@fhcrc.org"
   AuthLDAPBindPassword passwd-for-foo
   AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
   # ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
   Require valid-user
</Directory>


and here's my apache 2.2 config.  if i comment out the 'ldaps' URL and 
comment in the 'ldap' URL, things work fine:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
[...]
<Directory "/srv/www/htdocs/soma/">
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.1.
    AuthName Soma
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPBindDN "foo@fhcrc.org"
    AuthLDAPBindPassword passwd-for-foo
    AuthLDAPURL 
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS
#   AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
objectClass=user)
    Require valid-user
</Directory>

when it fails, i see the following in syslog:

Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738] 
auth_ldap authenticate: user skendric authentication failed; URI /soma 
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

in a packet trace, i see the following, repeated a handful of times.  [i 
hacked the Source and Destination IP address columns, replacing the 
actual IP addresses with 'a', the address of my apache server, and 'z' 
the address of my LDAP server].  basically, the apache server just 
establishes a TCP connection (SYN, SYN, ACK) ... and then, without 
attempting anything, tears it down ... and then repeats a handful of times.

No.  Time   By  Source Dest Prot Info
  1 0.000000 74  a      z    TCP  48965 > 12389 [SYN, ECN, CWR] Seq=0
  2 0.000351 78  z      a    TCP  12389 > 48965 [SYN, ACK] Seq=0 Ack=1
  3 0.000018 66  a      z    TCP  48965 > 12389 [ACK] Seq=1 Ack=1
  4 0.000780 66  a      z    TCP  48965 > 12389 [FIN, ACK] Seq=1 Ack=1
  5 0.000122 74  a      z    TCP  48966 > 12389 [SYN, ECN, CWR] Seq=0
  6 0.000312 78  z      a    TCP  12389 > 48966 [SYN, ACK] Seq=0 Ack=1
  7 0.000014 66  a      z    TCP  48966 > 12389 [ACK] Seq=1 Ack=1
  8 0.000004 66  z      a    TCP  12389 > 48965 [ACK] Seq=1 Ack=2
  9 0.000084 60  z      a    TCP  12389 > 48965 [RST, ACK] Seq=1 Ack=2
10 0.000201 66  a      z    TCP  48966 > 12389 [FIN, ACK] Seq=1 Ack=1

i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0 
case, and OpenSuSE 10.1 in the httpd-2.2.0 case.  for grins, i compiled 
httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the 
same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1

suggestions for what i might try next to analyze what is going on?

--sk

stuart kendrick
fhcrc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message