[users@httpd] Apache 2.2.0 and TLS with LDAP

[mark clarkson <mcc21371@xxxxxxxxx>]

I am trying to use TLS with LDAP and Apache 2.2.0.  My configuration is as
follows:

  Solaris 9
  OpenSSL v 0.9.8a
  Berkley DB 4.2
  OpenLDAP v 2.2.19
  Apache 2.2.0

My LDAP implementation works great with TLS:

  ldapsearch -ZZ -x -D "cn=someid,dc=example,dc=com" -W '(&(objectclass=posixaccount)(uid=testuser))'

 Enter LDAP Password:
 # extended LDIF
 #
 # LDAPv3
 # base <> with scope sub
 # filter: (&(objectclass=posixaccount)(uid=testuser))
 # requesting: ALL
 #

 # testuser, People, example.com
 dn: uid=testuser,ou=People,dc=example,dc=com
 uid: testuser
 cn: System Administrator
 objectClass: account
 objectClass: posixAccount
 objectClass: top
 objectClass: shadowAccount
 shadowLastChange: 12440
 loginShell: /bin/ksh
 uidNumber: 2004
 gidNumber: 10
 homeDirectory: /home/testuser
 gecos: System Administrator
 userPassword:: <removed>
 # search result
 search: 3
 result: 0 Success

 # numResponses: 2
 # numEntries: 1

If I use regular LDAP, I can authenticate just fine.

The problem I am having is when I enable the use of TLS with the parameter:

 LDAPTrustedMode TLS

in my httpd.conf file and attempt to log in to a web site, I get the following in the apache error_log file:

 [Wed Jan 04 16:34:20 2006] [warn] [client <IP Address>] [17151] auth_ldap authenticate: user testuser authentication failed; URI /repos/test [LDAP:ldap_start_tls_s() failed][Not Supported]

What do I need to do in order to get TLS supported in Apache?

Here is my config.nice file for Apache:

 #! /bin/sh
 #
 # Created by configure

  CPPFLAGS="-I/usr/include -I/usr/local/BerkeleyDB.4.2/include -I/usr/local/ssl/include"
  export CPPFLAGS
  LDFLAGS="-L/usr/lib -L/usr/local/ssl/lib -L/usr/local/BerkeleyDB.4.2/lib -R/usr/local/BerkeleyDB.4.2/lib"
  export LDFLAGS
 "./configure" \
 "--prefix=/usr/local/apache2" \
 "--enable-mods-shared=all" \
 "--enable-modules=all" \
 "--enable-so" \
 "--enable-ssl=shared" \
 "--enable-ssl" \
 "--enable-proxy" \
 "--enable-proxy-connect" \
 "--enable-proxy-http" \
 "--enable-dav" \
 "--enable-authnz-ldap" \
 "--enable-ldap" \
 "--enable-authn-alias" \
 "--enable-cache" \
 "--enable-disk-cache" \
 "--enable-mem-cache" \
 "--enable-mime-magic" \
 "--enable-dav-fs" \
 "--enable-dav-lock" \
 "--enable-speling" \
 "--enable-rewrite" \
 "--with-ssl=/usr/local/ssl" \
 "--with-ldap=ldap" \
 "--with-ldap-include=/usr/local/include" \
 "--with-ldap-lib=/usr/local/lib" \
 "--with-berkeley-db=/usr/local/BerkeleyDB.4.2" \
 "$@"

Here is the startup messages from the error_log too:

 [Thu Jan 05 12:16:18 2006] [info] mod_unique_id: using ip addr <removed>
 [Thu Jan 05 12:16:19 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
 [Thu Jan 05 12:16:19 2006] [info] Loading certificate & private key of SSL-aware server
 [Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
 [Thu Jan 05 12:16:19 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
 [Thu Jan 05 12:16:19 2006] [info] Init: Initializing (virtual) servers for SSL
 [Thu Jan 05 12:16:19 2006] [info] Configuring server for SSL protocol
 [Thu Jan 05 12:16:19 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
 [Thu Jan 05 12:16:19 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
 [Thu Jan 05 12:16:19 2006] [info] mod_unique_id: using ip addr <removed>
 [Thu Jan 05 12:16:20 2006] [info] Init: Seeding PRNG with 136 bytes of entropy
 [Thu Jan 05 12:16:20 2006] [info] Loading certificate & private key of SSL-aware server
 [Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits)
 [Thu Jan 05 12:16:20 2006] [info] Init: Generating temporary DH parameters (512/1024 bits)
 [Thu Jan 05 12:16:20 2006] [info] Shared memory session cache initialised
 [Thu Jan 05 12:16:20 2006] [info] Init: Initializing (virtual) servers for SSL
 [Thu Jan 05 12:16:20 2006] [info] Configuring server for SSL protocol
 [Thu Jan 05 12:16:20 2006] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
 [Thu Jan 05 12:16:20 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
 [Thu Jan 05 12:16:20 2006] [notice] Digest: generating secret for digest authentication ...
 [Thu Jan 05 12:16:20 2006] [notice] Digest: done
 [Thu Jan 05 12:16:20 2006] [info] APR LDAP: Built with OpenLDAP LDAP SDK
 [Thu Jan 05 12:16:20 2006] [info] LDAP: SSL support available
 [Thu Jan 05 12:16:20 2006] [notice] Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8a DAV/2 PHP/5.1.1 SVN/1.2.3 configured --   resuming normal operations
 [Thu Jan 05 12:16:20 2006] [info] Server built: Dec  9 2005 14:02:01

And here is my slightly modified (private information changed) <Location>
block in my httpd.conf file:


 LDAPTrustedGlobalCert CERT_BASE64 /usr/local/etc/openldap/cacert.pem
 LDAPTrustedMode SSL

 <Location /repos>
   DAV svn
   SVNParentPath /opt/repos
   AuthType Basic
   AuthBasicProvider ldap
   AuthName "Subversion repository"

   AuthzLDAPAuthoritative on
   AuthLDAPURL ldap://ldapserver.example.com/dc=fffc,dc=com?uid?sub?(objectClass=posixAccou nt)
   AuthLDAPBindDN "cn=someid,dc=example,dc=com"
   AuthLDAPBindPassword "password"
   Require valid-user

   AuthzSVNAccessFile /usr/local/etc/subversion/access
 </Location>


Can someone please shed some light I what I need to do in order to get TLS
to be "supported"

Thank you in advance!

Mark.