Re: [users@httpd] ldaps authentication

Ricardo Stella <stella@xxxxxxxxx> · Fri, 20 Jan 2006 12:25:40 -0500

The default for ldap over ssl is on port 636.  Is your ldap supporting
this or actually doing TLS on the standard port ?

Sturgis, Grant wrote:
>> From: Ricardo Stella [mailto:stella@xxxxxxxxx] 
>>     
>
>   
>> What do logs show ?
>>     
>
> The error_log shows this:
>
> [Fri Jan 20 10:08:47 2006] [warn] [client 10.10.233.101] [2056]
> auth_ldap authenticate: user jgood authentication failed; URI
> /servers/smtp0/smtp0.htm [LDAP: ldap_simple_bind_s() failed][Can't
> contact LDAP server], referer: http://mrtg/mail_servers.htm
>
>
>   
>> Also, do you know if you are establishing a connection ?
>>     
>
> Yes, it appears that apache is trying to set up an ldaps session, but
> failing.  Perhaps something analogous to the 'tls_checkpeer no' in
> ldap.conf?
>
>   
>> And, also, any permissions issue with the server reading the 
>> certificate ?
>>     
>
> The cert file is owned by apache with a mode of 400.  All of the parent
> directories are 755.
>
>   
>> Sturgis, Grant wrote:
>>     
>>> No luck on this thread.  Let me ask a different question:
>>>
>>> Is anyone using ldaps authentication - or ldap for that matter?  
>>>
>>> Anyone using ldaps to AD?
>>>
>>> Thanks,
>>>
>>> Grant
>>> --------------- 
>>>
>>>   
>>>       
>>>> -----Original Message-----
>>>> From: Sturgis, Grant 
>>>> Sent: Wednesday, January 18, 2006 2:12 PM
>>>> To: users@xxxxxxxxxxxxxxxx
>>>> Subject: [users@httpd] ldaps authentication
>>>>
>>>> Greetings List,
>>>>
>>>> I have seen this question posted several times, but have not seen a
>>>> resolution.  If it is in the archives, I apologize for not 
>>>>         
>> seeing it
>>     
>>>> there.
>>>>
>>>> I have ldap authentication working using mod_auth_ldap, 
>>>>         
>> but I want to
>>     
>>>> enable ldaps to avoid transmitting passwords in clear text.  
>>>> This is the
>>>> configuration so far:
>>>>
>>>> <Directory "/home/httpd/ldap_test">
>>>>    AuthType basic
>>>>    AuthName "ldap test"
>>>>    AuthLDAPUrl
>>>> ldap://dc1.domain.com/dc=domain,dc=com?sAMAccountName?sub?(obj
>>>> ectClass=u
>>>> ser)
>>>>    AuthLDAPBindDN cn=nobody,ou=Users-IT,dc=domain,dc=com
>>>>    AuthLDAPBindPassword password
>>>>    AuthLDAPGroupAttribute member
>>>>    require group cn=ldap_test_group,ou=Users-IT,dc=domain,dc=com
>>>> </Directory>
>>>>
>>>> however, to enable ldaps, I add these lines (outside the 
>>>> <Directory>, of
>>>> course):
>>>>
>>>> LDAPTrustedCA /etc/httpd/conf/cacerts/dc1.cer
>>>> LDAPTrustedCAType BASE64_FILE
>>>>
>>>> and then change ldap to ldaps in the AuthLDAPUrl line
>>>>
>>>> and it stops working.
>>>>
>>>> I have used this cert successfully in pam_ldap and ldapsearch.  
>>>>
>>>> Any suggestions for what I could be doing wrong?  
>>>>
>>>> The details:
>>>>
>>>> RHEL ES 4
>>>> httpd-2.0.52-22.ent
>>>>
>>>> Thanks for any suggestions,
>>>>
>>>> Grant
>>>> -----------------
>>>>
>>>>
>>>>
>>>>
>>>> Pardon this rubbish:
>>>>
>>>>
>>>>         
>
> This electronic message transmission is a PRIVATE communication which contains
> information which may be confidential or privileged. The information is intended 
> to be for the use of the individual or entity named above. If you are not the 
> intended recipient, please be aware that any disclosure, copying, distribution 
> or use of the contents of this information is prohibited. Please notify the
> sender  of the delivery error by replying to this message, or notify us by
> telephone (877-633-2436, ext. 0), and then delete it from your system.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>   

-- 

°(((=((===°°°(((===========================================