Just thought I would let you all know that this does work perfectly. My problem was that I had the server certificate and not the CA certificate. Thanks, Grant > -----Original Message----- > From: Sturgis, Grant > Sent: Friday, January 20, 2006 10:40 AM > To: 'users@xxxxxxxxxxxxxxxx' > Subject: RE: [users@httpd] ldaps authentication > > > -----Original Message----- > > From: Ricardo Stella [mailto:stella@xxxxxxxxx] > > > > > > > The default for ldap over ssl is on port 636. Is your ldap > supporting > > this or actually doing TLS on the standard port ? > > yes, our ldap server does ldaps over 636. In httpd.conf, I > have tried just changing the uri from ldap to ldaps as well > as appending the port (:636) to the server. Which approach > would you recommend? > > > > > > > > > > Sturgis, Grant wrote: > > >> From: Ricardo Stella [mailto:stella@xxxxxxxxx] > > >> > > > > > > > > >> What do logs show ? > > >> > > > > > > The error_log shows this: > > > > > > [Fri Jan 20 10:08:47 2006] [warn] [client 10.10.233.101] [2056] > > > auth_ldap authenticate: user jgood authentication failed; URI > > > /servers/smtp0/smtp0.htm [LDAP: ldap_simple_bind_s() failed][Can't > > > contact LDAP server], referer: http://mrtg/mail_servers.htm > > > > > > > > > > > >> Also, do you know if you are establishing a connection ? > > >> > > > > > > Yes, it appears that apache is trying to set up an ldaps > > session, but > > > failing. Perhaps something analogous to the 'tls_checkpeer no' in > > > ldap.conf? > > > > > > > > >> And, also, any permissions issue with the server reading the > > >> certificate ? > > >> > > > > > > The cert file is owned by apache with a mode of 400. All > > of the parent > > > directories are 755. > > > > > > > > >> Sturgis, Grant wrote: > > >> > > >>> No luck on this thread. Let me ask a different question: > > >>> > > >>> Is anyone using ldaps authentication - or ldap for that > matter? > > >>> > > >>> Anyone using ldaps to AD? > > >>> > > >>> Thanks, > > >>> > > >>> Grant > > >>> --------------- > > >>> > > >>> > > >>> > > >>>> -----Original Message----- > > >>>> From: Sturgis, Grant > > >>>> Sent: Wednesday, January 18, 2006 2:12 PM > > >>>> To: users@xxxxxxxxxxxxxxxx > > >>>> Subject: [users@httpd] ldaps authentication > > >>>> > > >>>> Greetings List, > > >>>> > > >>>> I have seen this question posted several times, but have > > not seen a > > >>>> resolution. If it is in the archives, I apologize for not > > >>>> > > >> seeing it > > >> > > >>>> there. > > >>>> > > >>>> I have ldap authentication working using mod_auth_ldap, > > >>>> > > >> but I want to > > >> > > >>>> enable ldaps to avoid transmitting passwords in clear text. > > >>>> This is the > > >>>> configuration so far: > > >>>> > > >>>> <Directory "/home/httpd/ldap_test"> > > >>>> AuthType basic > > >>>> AuthName "ldap test" > > >>>> AuthLDAPUrl > > >>>> ldap://dc1.domain.com/dc=domain,dc=com?sAMAccountName?sub?(obj > > >>>> ectClass=u > > >>>> ser) > > >>>> AuthLDAPBindDN cn=nobody,ou=Users-IT,dc=domain,dc=com > > >>>> AuthLDAPBindPassword password > > >>>> AuthLDAPGroupAttribute member > > >>>> require group > cn=ldap_test_group,ou=Users-IT,dc=domain,dc=com > > >>>> </Directory> > > >>>> > > >>>> however, to enable ldaps, I add these lines (outside the > > >>>> <Directory>, of > > >>>> course): > > >>>> > > >>>> LDAPTrustedCA /etc/httpd/conf/cacerts/dc1.cer > > >>>> LDAPTrustedCAType BASE64_FILE > > >>>> > > >>>> and then change ldap to ldaps in the AuthLDAPUrl line > > >>>> > > >>>> and it stops working. > > >>>> > > >>>> I have used this cert successfully in pam_ldap and > ldapsearch. > > >>>> > > >>>> Any suggestions for what I could be doing wrong? > > >>>> > > >>>> The details: > > >>>> > > >>>> RHEL ES 4 > > >>>> httpd-2.0.52-22.ent > > >>>> > > >>>> Thanks for any suggestions, > > >>>> > > >>>> Grant > > >>>> ----------------- > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> Pardon this rubbish: > > >>>> > > >>>> > > >>>> > > > > > > This electronic message transmission is a PRIVATE > > communication which contains > > > information which may be confidential or privileged. The > > information is intended > > > to be for the use of the individual or entity named above. > > If you are not the > > > intended recipient, please be aware that any disclosure, > > copying, distribution > > > or use of the contents of this information is prohibited. > > Please notify the > > > sender of the delivery error by replying to this message, > > or notify us by > > > telephone (877-633-2436, ext. 0), and then delete it from > > your system. > > > > > > > > > > > > --------------------------------------------------------------------- > > > The official User-To-User support forum of the Apache HTTP > > Server Project. > > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > > > > > > > -- > > > > °(((=((===°°°(((=========================================== > > > > This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|