httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sandro Tosi <sandro.t...@register.it>
Subject Re: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
Date Fri, 13 Nov 2009 15:49:10 GMT
Just to follow this up for people that might have the same problem: it 
turns out it was because

- php was *not* compiled with ldap options
- php was loaded *before* mod_ldap and modp_authnz_ldap

A simple solution was to import mod_{authnz,}_ldap before php. The right 
solution though is to add

  --with-ldap-sasl --with-ldap

configure options to php. After that, in any order the above modules are 
imported, apache and LDAP can communicate and authenticate users.

Thanks,
Sandro

Sandro Tosi wrote:
> Hello,
> we are enabling LDAP auth on our apache stack. Starting from 
> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>
> The configure line we used for apache is:
>
> $ ./configure --prefix=/usr/local/apache --mandir=/path/to/man 
> --with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all 
> --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
>
> and the one for php is:
>
> ./configure --prefix=/usr/local/php --mandir=/usr/local/php/man 
> --with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs 
> --with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash 
> --with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib 
> --with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt 
> --enable-shared=max --enable-mbstring --enable-inline-optimization 
> --enable-magic-quotes --enable-sigchild --enable-soap 
> --enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib 
> --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
>
> Build and install went fine.
>
> We also installed openldap-client-2.3.27 and set "TLS_REQCERT never" 
> into /etc/openldap/ldap.conf .
>
> And now starts the problem :( We configured httpd.conf to contain
>
>   LoadModule ldap_module modules/mod_ldap.so
>   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
>   ...
>   LDAPVerifyServerCert Off
>
> Then we set a dir with .htaccess similar to this:
>
>   AuthType Basic
>   AuthName "<name>"
>   AuthBasicProvider ldap
>   AuthzLDAPAuthoritative Off
>   AuthLDAPBindDN uid=<uid>,ou=<ou>,ou=<ou>,dc=<dc>,dc=<dc>
>   AuthLDAPBindPassword <pwd>
>   AuthLDAPURL ldaps://<address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
>   require valid-user
>
> If I then try to access a page under that .htaccess, then I'm prompted 
> for username and password, but then I'm redirected to a 500 page and in 
> error.log I can read
>
> [Mon Nov 02 10:59:38 2009] [warn] [client 127.0.0.1] [10522] auth_ldap 
> authenticate: user stosi authentication failed; URI /index.html [LDAP: 
> ldap_set_option failed. Could not set LDAP_OPT_X_TLS to 
> LDAP_OPT_X_TLS_HARD][Operations error]
>
> We are stuck in this situation since days :( we searched the internet 
> for the above error message, but except for a couple of posts on 
> issues.apache.org (that don't help) there is nothing else but complains 
> about how obscure that error is.
>
> I think there's something related to SSL and how recent apache (it seems 
> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into 
> httpd.conf and set explicitly "SSLEngine On" where needed (while before 
> it was a bit implicitly).
>
> I appreciate any help, cause we are out of any idea on how to move on.
>
> Regards,
> Sandro
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>   


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message