httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darren Spruell" <phatbuck...@gmail.com>
Subject [users@httpd] Re: Auth via LDAPS fails: Can't contact LDAP server
Date Mon, 22 Jan 2007 17:45:25 GMT
On 1/17/07, Darren Spruell <phatbuckett@gmail.com> wrote:
> When trying to authenticate clients via a remote LDAP directory (using
> mod_authz_ldap), we fail and the following is logged:
>
> [Wed Jan 17 14:57:14 2007] [warn] [client a.b.c.d] [32492] auth_ldap
> authenticate: user xxxxxxxx authentication failed; URI /ldap/
> [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> The authentication attempt succeeds when standard LDAP is attempted,
> but for security we require LDAPS. There are no connectivity issues
> between Apache and the remote LDAPS service as we can successfully
> test our operations using 'openssl s_client' and ldapsearch(1) without
> issue.

I think I've found the problem and it related to a name mismatch
between the address we had configured to connect to the LDAP server
and the CN returned in the SSL certificate. I had to test using a
locally-configured DNS server to spoof the name, since the FQDN did
not exist in our DNS, but after changing the name it worked correctly.

On this note, what would it take to get some more debugging enabled in
mod_ldap around the certificate validation procedures? It would be
very useful if logs would indicate an error in the server certificate
validation as several variables can be out of place there; expired
certificate, untrusted issuer, or CN/hostname mismatch. The same error
that we were seeing misleads a lot of people (according to Google)
into diagnosing the issue as an inability to complete a TCP/IP socket
with the remote LDAP server, when the issue may actually be failure to
complete SSL handshake.

DS

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message