Re: [users@httpd] ldaps authentication

Ricardo Stella <stella@xxxxxxxxx> · Fri, 20 Jan 2006 11:55:43 -0500

What do logs show ?

Also, do you know if you are establishing a connection ?

And, also, any permissions issue with the server reading the certificate ?

Sturgis, Grant wrote:
> No luck on this thread.  Let me ask a different question:
>
> Is anyone using ldaps authentication - or ldap for that matter?  
>
> Anyone using ldaps to AD?
>
> Thanks,
>
> Grant
> --------------- 
>
>   
>> -----Original Message-----
>> From: Sturgis, Grant 
>> Sent: Wednesday, January 18, 2006 2:12 PM
>> To: users@xxxxxxxxxxxxxxxx
>> Subject: [users@httpd] ldaps authentication
>>
>> Greetings List,
>>
>> I have seen this question posted several times, but have not seen a
>> resolution.  If it is in the archives, I apologize for not seeing it
>> there.
>>
>> I have ldap authentication working using mod_auth_ldap, but I want to
>> enable ldaps to avoid transmitting passwords in clear text.  
>> This is the
>> configuration so far:
>>
>> <Directory "/home/httpd/ldap_test">
>>    AuthType basic
>>    AuthName "ldap test"
>>    AuthLDAPUrl
>> ldap://dc1.domain.com/dc=domain,dc=com?sAMAccountName?sub?(obj
>> ectClass=u
>> ser)
>>    AuthLDAPBindDN cn=nobody,ou=Users-IT,dc=domain,dc=com
>>    AuthLDAPBindPassword password
>>    AuthLDAPGroupAttribute member
>>    require group cn=ldap_test_group,ou=Users-IT,dc=domain,dc=com
>> </Directory>
>>
>> however, to enable ldaps, I add these lines (outside the 
>> <Directory>, of
>> course):
>>
>> LDAPTrustedCA /etc/httpd/conf/cacerts/dc1.cer
>> LDAPTrustedCAType BASE64_FILE
>>
>> and then change ldap to ldaps in the AuthLDAPUrl line
>>
>> and it stops working.
>>
>> I have used this cert successfully in pam_ldap and ldapsearch.  
>>
>> Any suggestions for what I could be doing wrong?  
>>
>> The details:
>>
>> RHEL ES 4
>> httpd-2.0.52-22.ent
>>
>> Thanks for any suggestions,
>>
>> Grant
>> -----------------
>>
>>
>>
>>
>> Pardon this rubbish:
>>
>>
>> This electronic message transmission is a PRIVATE 
>> communication which contains
>> information which may be confidential or privileged. The 
>> information is intended 
>> to be for the use of the individual or entity named above. If 
>> you are not the 
>> intended recipient, please be aware that any disclosure, 
>> copying, distribution 
>> or use of the contents of this information is prohibited. 
>> Please notify the
>> sender  of the delivery error by replying to this message, or 
>> notify us by
>> telephone (877-633-2436, ext. 0), and then delete it from your system.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP 
>> Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>>
>>     
>
> This electronic message transmission is a PRIVATE communication which contains
> information which may be confidential or privileged. The information is intended 
> to be for the use of the individual or entity named above. If you are not the 
> intended recipient, please be aware that any disclosure, copying, distribution 
> or use of the contents of this information is prohibited. Please notify the
> sender  of the delivery error by replying to this message, or notify us by
> telephone (877-633-2436, ext. 0), and then delete it from your system.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>   

-- 

°(((=((===°°°(((===========================================