httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricardo Stella <ste...@rider.edu>
Subject Re: [users@httpd] ldap to ldaps under httpd-2.2
Date Thu, 28 Sep 2006 14:25:34 GMT

Looks good... I'm not sure - you might want to debug it by running the
ldapsearch client from the command line.  My guess is there's something
going on with stunnel not accepting the connections.  Is it logging
anything ?

Stuart Kendrick wrote:
> hi ricardo,
>
> ok, what you're pointing out is that i've been fuzzing whether or not
> i want to negotiate SSL after establishing a connection or if i just
> want to walk in assuming SSL
>
> my LDAP server is an Active Directory box with stunnel running on port
> 12389 (and redirecting what it receives to port 389).  and my
> httpd-2.0 configuration just contains 'ldaps', no mention of STARTTLS,
> and it works fine.  so i'm going to claim that my LDAP server is
> listening to SSL on port 12389
>
> [when i use STARTTLS or set LDAPTrustedMode to TLS, i see
> "ldap_start_tls_s() failed][Not Supported]" in syslog ... and
> *nothing* in the packet trace, i.e. apache doesn't send a single
> packet to the LDAP server.  i find this odd, because i'd like to think
> that httpd is linked to OpenLDAP, which does, as far as i can tell,
> support STARTTLS ... but hey, i don't need STARTTLS, my LDAP server is
> speaking SSL only on this port, so i don't need this functionality]
>
> so, for simplicity, i dump the LDAPTrustedMode stmt:
>
> [...]
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
> LDAPTrustedClientCert CERT_BASE64 /opt/vdops/ssl/fhcrc-ad.pem
> LDAPVerifyServerCert Off
> [...]
>
> and rely on the 'ldaps' URL:
>
> <Directory "/srv/www/htdocs/soma/">
>    AllowOverride None
>    Order deny,allow
>    Deny from all
>    Allow from 10.1.
>    AuthName Soma
>    AuthType Basic
>    AuthBasicProvider ldap
>    AuthzLDAPAuthoritative Off
>    AuthLDAPBindDN "foozle@fhcrc.org"
>    AuthLDAPBindPassword passwd-for-foozle
>    AuthLDAPURL
> ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
> ?(objectClass=user)
>    Require valid-user
> </Directory>
>
> but ... i see the same thing in syslog:
> ...ldap_simple_bind_s() failed][Can't contact LDAP server]...
>
> and i see the same thing in the packet trace, i.e. SYN, SYN, ACK, RST
> ... repeated a handful of times
>
> thank you for helping me clarify what i'm doing
>
> can you see any other confusions i might be retaining?
>
> --sk
>
>
> Stuart Kendrick wrote:
> > > hi,
> > >
> > > i'm trying to upgrade my ldap authentication to ldaps
> >
>
> > Well, which one is it ?  TLS or SSL :?  That's the problem...  LDAP on
> > SSL mode work on a different port.  TLS connections work on the same
> > unsecure port, except that the talk is encrypted.
>
> > So, if you enabled SSL on port 12389, then:
>
> > LDAPTrustedMode SSL # If you run SSL, this is optional as you'll
> > enable this with the 'ldaps' url
> > ...
> > AuthLDAPURL
> >
> ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
>
>
> > Or, if you are doing TLS, then:
>
> >LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS
> > at the end of the ldap url
> > ...
> > AuthLDAPURL
> >
> ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
>
>
> > Hope this helps...
>
> > My .02...
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

-- 

°(((=((===°°°(((===========================================


Mime
View raw message