httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Irwin Tillman <ir...@princeton.edu>
Subject Re: [users@httpd] Apache httpd 2.2.8 not reading LDAPTrustedGlobalCert files
Date Thu, 01 May 2008 18:06:16 GMT
I wrote:

>>  But the truss shows that at no time (at startup or later when talking to an LDAP
server)
>>  does the parent or any child httpd try to open() the file /var/local/etc/certs/foo.
>>  So (not surprisingly), attempts by httpd to verify certificates issued by
>>  the CA whose cert is in 'foo' fail.


"Eric Covener" <covener@gmail.com> wrote:

>Can you try truss -u ::ldap_set_option and see if we're passing the
>cert info off to openldap?  openldap would be the one actually on the
>hook for doing the checking.
>
>Coercing some trace out of openldap might yeild a clue too


Further trusses showed that httpd *does* open64(), read(), and close() one of the 
CA cert files specified in my httpd.conf (actually, the same process did so twice,
which seemed odd).  But it only did so for the last of the CA cert files
mentioned in httpd.conf:

When I reduced my httpd.conf to just a single LDAPTrustedGlobalCert statement, it works fine.
 

When I have two or more LDAPTrustedGlobalCert
statements (to bring other CA certs), it only works if the CA I need is the last one
mentioned in httpd.conf.

Whatever's the cause, I've worked around it for now by specifying just a single
LDAPTrustedGlobalCert statement; currently all my LDAP servers have certificates
signed by the same CA.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message