The default for ldap over ssl is on port 636. Is your ldap supporting this or actually doing TLS on the standard port ? Sturgis, Grant wrote: >> From: Ricardo Stella [mailto:stella@xxxxxxxxx] >> > > >> What do logs show ? >> > > The error_log shows this: > > [Fri Jan 20 10:08:47 2006] [warn] [client 10.10.233.101] [2056] > auth_ldap authenticate: user jgood authentication failed; URI > /servers/smtp0/smtp0.htm [LDAP: ldap_simple_bind_s() failed][Can't > contact LDAP server], referer: http://mrtg/mail_servers.htm > > > >> Also, do you know if you are establishing a connection ? >> > > Yes, it appears that apache is trying to set up an ldaps session, but > failing. Perhaps something analogous to the 'tls_checkpeer no' in > ldap.conf? > > >> And, also, any permissions issue with the server reading the >> certificate ? >> > > The cert file is owned by apache with a mode of 400. All of the parent > directories are 755. > > >> Sturgis, Grant wrote: >> >>> No luck on this thread. Let me ask a different question: >>> >>> Is anyone using ldaps authentication - or ldap for that matter? >>> >>> Anyone using ldaps to AD? >>> >>> Thanks, >>> >>> Grant >>> --------------- >>> >>> >>> >>>> -----Original Message----- >>>> From: Sturgis, Grant >>>> Sent: Wednesday, January 18, 2006 2:12 PM >>>> To: users@xxxxxxxxxxxxxxxx >>>> Subject: [users@httpd] ldaps authentication >>>> >>>> Greetings List, >>>> >>>> I have seen this question posted several times, but have not seen a >>>> resolution. If it is in the archives, I apologize for not >>>> >> seeing it >> >>>> there. >>>> >>>> I have ldap authentication working using mod_auth_ldap, >>>> >> but I want to >> >>>> enable ldaps to avoid transmitting passwords in clear text. >>>> This is the >>>> configuration so far: >>>> >>>> <Directory "/home/httpd/ldap_test"> >>>> AuthType basic >>>> AuthName "ldap test" >>>> AuthLDAPUrl >>>> ldap://dc1.domain.com/dc=domain,dc=com?sAMAccountName?sub?(obj >>>> ectClass=u >>>> ser) >>>> AuthLDAPBindDN cn=nobody,ou=Users-IT,dc=domain,dc=com >>>> AuthLDAPBindPassword password >>>> AuthLDAPGroupAttribute member >>>> require group cn=ldap_test_group,ou=Users-IT,dc=domain,dc=com >>>> </Directory> >>>> >>>> however, to enable ldaps, I add these lines (outside the >>>> <Directory>, of >>>> course): >>>> >>>> LDAPTrustedCA /etc/httpd/conf/cacerts/dc1.cer >>>> LDAPTrustedCAType BASE64_FILE >>>> >>>> and then change ldap to ldaps in the AuthLDAPUrl line >>>> >>>> and it stops working. >>>> >>>> I have used this cert successfully in pam_ldap and ldapsearch. >>>> >>>> Any suggestions for what I could be doing wrong? >>>> >>>> The details: >>>> >>>> RHEL ES 4 >>>> httpd-2.0.52-22.ent >>>> >>>> Thanks for any suggestions, >>>> >>>> Grant >>>> ----------------- >>>> >>>> >>>> >>>> >>>> Pardon this rubbish: >>>> >>>> >>>> > > This electronic message transmission is a PRIVATE communication which contains > information which may be confidential or privileged. The information is intended > to be for the use of the individual or entity named above. If you are not the > intended recipient, please be aware that any disclosure, copying, distribution > or use of the contents of this information is prohibited. Please notify the > sender of the delivery error by replying to this message, or notify us by > telephone (877-633-2436, ext. 0), and then delete it from your system. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > -- °(((=((===°°°(((===========================================
begin:vcard fn:Ricardo Stella n:Stella;Ricardo org:Rider University adr;dom:;;2083 Lawrenceville Rd;Lawrenceville;NJ;08648 version:2.1 end:vcard
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx