Apache connects to ldap.google.com, however it does not appear to successfully negotiate a TLS connection. As a workaround, we have set up stunnel4 to handle the TLS session and configured Apache to use stunnel. Apache is able to successfully authenticate using plain LDAP through the TLS tunnel. We have also successfully connected to the LDAP endpoint using ldapsearch.
This is the relevant part of our apache config:
<Location />
…
AuthLDAPURL "ldaps://ldap.google.com:636/ou=Users,dc=yes,dc=com?uid?sub?(objectClass=*)"
LDAPTrustedClientCert CERT_BASE64 "/etc/apache2/ssl/Google_xxxx.crt"
LDAPTrustedClientCert KEY_BASE64 "/etc/apache2/ssl/Google_xxxx.key"
AuthLDAPBindDN 'someuser'
AuthLDAPBindPassword 'apassword’
…
LDAPTrustedClientCert CERT_BASE64 "/etc/apache2/ssl/Google_xxxx.crt"
LDAPTrustedClientCert KEY_BASE64 "/etc/apache2/ssl/Google_xxxx.key"
AuthLDAPBindDN 'someuser'
AuthLDAPBindPassword 'apassword’
…
</Location>
From examining packet captures of the TLS sessions for both stunnel and Apache, the connection from Apache to the LDAP server does not seem to have support for SNI. According to the Google documentation, SNI support is mandatory in order to use the LDAP service.[1]. Attached are screenshots showing the TLS packet captures for stunnel and Apache.
Can anyone tell me whether SNI support is available in mod_ldap and if so how do I activate it?
From examining packet captures of the TLS sessions for both stunnel and Apache, the connection from Apache to the LDAP server does not seem to have support for SNI. According to the Google documentation, SNI support is mandatory in order to use the LDAP service.[1]. Attached are screenshots showing the TLS packet captures for stunnel and Apache.
Can anyone tell me whether SNI support is available in mod_ldap and if so how do I activate it?
Regards,
