httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darren Spruell" <phatbuck...@gmail.com>
Subject [users@httpd] Auth via LDAPS fails: Can't contact LDAP server
Date Thu, 18 Jan 2007 01:12:02 GMT
When trying to authenticate clients via a remote LDAP directory (using
mod_authz_ldap), we fail and the following is logged:

[Wed Jan 17 14:57:14 2007] [warn] [client a.b.c.d] [32492] auth_ldap
authenticate: user xxxxxxxx authentication failed; URI /ldap/
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

The authentication attempt succeeds when standard LDAP is attempted,
but for security we require LDAPS. There are no connectivity issues
between Apache and the remote LDAPS service as we can successfully
test our operations using 'openssl s_client' and ldapsearch(1) without
issue.

I've seen this error quite a bit on the web and looked into some
suggested solutions but still no love. It strongly appears to be
related to the certificate we are using in LDAPTrustedGlobalCert,
which was retrieved from the LDAP server using an SSL connection to
dump it out. The certificate is self signed, so I don't know if the
SSL connection won't initialize properly because of a hostname/CN
mismatch or what exactly. The date on the certificate is valid.

We're using: Apache/2.2.3 on Fedora Core 6. All components are
installed via binary RPMs.

Apache LDAP config details:

LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/directory.pem
<Location /ldap>
    AuthType Basic
    AuthName "LDAP Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL ldaps://192.168.1.100:636/ou=internal,o=mydir?uid SSL
    AuthLDAPBindDN cn=admin,ou=applicationusers,o=mydir
    AuthLDAPBindPassword xxxxxxxx
    AuthzLDAPAuthoritative Off
    AuthGroupFile /etc/httpd/auth/htgroups
    require group LDAP
</Location>


Startup notices:

[Wed Jan 17 16:01:39 2007] [notice] SELinux policy enabled; httpd
running as context user_u:system_r:httpd_t:s0
[Wed Jan 17 16:01:39 2007] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Wed Jan 17 16:01:39 2007] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Jan 17 16:01:39 2007] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Wed Jan 17 16:01:40 2007] [info] Init: Initializing (virtual) servers for SSL
[Wed Jan 17 16:01:40 2007] [info] Server: Apache/2.2.3, Interface:
mod_ssl/2.2.3, Library: OpenSSL/0.9.8b
[Wed Jan 17 16:01:40 2007] [notice] Digest: generating secret for
digest authentication ...
[Wed Jan 17 16:01:40 2007] [notice] Digest: done
[Wed Jan 17 16:01:40 2007] [debug] util_ldap.c(1929): LDAP merging
Shared Cache conf: shm=0x8c59368 rmm=0x8c59398 for VHOST:
mysite.mydomain.tld
[Wed Jan 17 16:01:40 2007] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Jan 17 16:01:40 2007] [info] LDAP: SSL support available
[Wed Jan 17 16:01:40 2007] [info] Init: Seeding PRNG with 256 bytes of entropy
[Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Wed Jan 17 16:01:40 2007] [info] Shared memory session cache initialised
[Wed Jan 17 16:01:40 2007] [info] Init: Initializing (virtual) servers for SSL
[Wed Jan 17 16:01:40 2007] [info] Server: Apache/2.2.3, Interface:
mod_ssl/2.2.3, Library: OpenSSL/0.9.8b
[Wed Jan 17 16:01:40 2007] [notice] Apache/2.2.3 (Fedora) configured
-- resuming normal operations
[Wed Jan 17 16:01:40 2007] [info] Server built: Sep 11 2006 09:43:05

-- 
Darren Spruell
phatbuckett@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message