httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Bailleul <Emmanuel.Baill...@telindus.fr>
Subject RE: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
Date Mon, 02 Nov 2009 10:38:09 GMT
> -----Message d'origine-----
> De : Sandro Tosi [mailto:sandro.tosi@register.it]
> Envoyé : lundi 2 novembre 2009 11:17
> À : users@httpd.apache.org
> Objet : [users@httpd] LDAP: ldap_set_option failed. Could not set
> LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
> 
> Hello,
> we are enabling LDAP auth on our apache stack. Starting from
> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
> 
> The configure line we used for apache is:
> 
> $ ./configure --prefix=/usr/local/apache --mandir=/path/to/man
> --with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all
> --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
> 
> and the one for php is:
> 
> ./configure --prefix=/usr/local/php --mandir=/usr/local/php/man
> --with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs
> --with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash
> --with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib
> --with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt
> --enable-shared=max --enable-mbstring --enable-inline-optimization
> --enable-magic-quotes --enable-sigchild --enable-soap
> --enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib
> --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
> 
> Build and install went fine.
> 
> We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
> into /etc/openldap/ldap.conf .
> 
> And now starts the problem :( We configured httpd.conf to contain
> 
>   LoadModule ldap_module modules/mod_ldap.so
>   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
>   ...
>   LDAPVerifyServerCert Off
> 
> Then we set a dir with .htaccess similar to this:
> 
>   AuthType Basic
>   AuthName "<name>"
>   AuthBasicProvider ldap
>   AuthzLDAPAuthoritative Off
>   AuthLDAPBindDN uid=<uid>,ou=<ou>,ou=<ou>,dc=<dc>,dc=<dc>
>   AuthLDAPBindPassword <pwd>
>   AuthLDAPURL ldaps://<address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
>   require valid-user
> 
> If I then try to access a page under that .htaccess, then I'm prompted
> for username and password, but then I'm redirected to a 500 page and in
> error.log I can read
> 
> [Mon Nov 02 10:59:38 2009] [warn] [client 127.0.0.1] [10522] auth_ldap
> authenticate: user stosi authentication failed; URI /index.html [LDAP:
> ldap_set_option failed. Could not set LDAP_OPT_X_TLS to
> LDAP_OPT_X_TLS_HARD][Operations error]
> 
> We are stuck in this situation since days :( we searched the internet
> for the above error message, but except for a couple of posts on
> issues.apache.org (that don't help) there is nothing else but complains
> about how obscure that error is.
> 
> I think there's something related to SSL and how recent apache (it
> seems
> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile
> into
> httpd.conf and set explicitly "SSLEngine On" where needed (while before
> it was a bit implicitly).
> 
> I appreciate any help, cause we are out of any idea on how to move on.
> 
> Regards,
> Sandro
> 

Hi,

Did you try your LDAPS connection with ldapsearch first ? (sth like ldapsearch -H <ldaps
url> -x ...). 
An important thing : when calling your ldap server, do use the resolved name rather than the
IP. You can even add it in your hosts file if needed.
Two other things :
- what king of ldap server are u using ?
- when building, are you sure you did not have several ssl toolkits/versions installed ? Can
you confirm httpd has been built with the correct one (I just remember having made this mistake
once and having to build with an option like "--with-ssl=<path-to-the-right-openssl-dir")
?

Regards.

Emmanuel



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message