hi, i'm trying to upgrade my ldap authentication to ldapsi have both ldap and ldaps authentication working under apache 2.0 ... but under apache 2.2, i only have plain ldap working
i'm looking for tips on additional trouble-shooting methods i could tryhere's my apache 2.0 config. this is the one which works, in both ldap and ldaps mode. notice the use of the non-standard port
[...] LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem LDAPTrustedCAType BASE64_FILE [...] <Directory "/srv/www/htdocs/soma/"> AllowOverride None Order deny,allow Deny from all Allow from 10.1. SSLRequireSSL AuthName Soma AuthType Basic AuthLDAPBindDN "foo@xxxxxxxxx" AuthLDAPBindPassword passwd-for-foo AuthLDAPURL ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj ectClass=user) # ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj ectClass=user) Require valid-user </Directory>and here's my apache 2.2 config. if i comment out the 'ldaps' URL and comment in the 'ldap' URL, things work fine:
[...] LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem LDAPTrustedMode TLS LDAPVerifyServerCert Off [...] <Directory "/srv/www/htdocs/soma/"> AllowOverride None Order deny,allow Deny from all Allow from 10.1. AuthName Soma AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPBindDN "foo@xxxxxxxxx" AuthLDAPBindPassword passwd-for-fooAuthLDAPURL ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS # AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?( objectClass=user) Require valid-user </Directory> when it fails, i see the following in syslog:Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738] auth_ldap authenticate: user skendric authentication failed; URI /soma [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
in a packet trace, i see the following, repeated a handful of times. [i hacked the Source and Destination IP address columns, replacing the actual IP addresses with 'a', the address of my apache server, and 'z' the address of my LDAP server]. basically, the apache server just establishes a TCP connection (SYN, SYN, ACK) ... and then, without attempting anything, tears it down ... and then repeats a handful of times.
No. Time By Source Dest Prot Info 1 0.000000 74 a z TCP 48965 > 12389 [SYN, ECN, CWR] Seq=0 2 0.000351 78 z a TCP 12389 > 48965 [SYN, ACK] Seq=0 Ack=1 3 0.000018 66 a z TCP 48965 > 12389 [ACK] Seq=1 Ack=1 4 0.000780 66 a z TCP 48965 > 12389 [FIN, ACK] Seq=1 Ack=1 5 0.000122 74 a z TCP 48966 > 12389 [SYN, ECN, CWR] Seq=0 6 0.000312 78 z a TCP 12389 > 48966 [SYN, ACK] Seq=0 Ack=1 7 0.000014 66 a z TCP 48966 > 12389 [ACK] Seq=1 Ack=1 8 0.000004 66 z a TCP 12389 > 48965 [ACK] Seq=1 Ack=2 9 0.000084 60 z a TCP 12389 > 48965 [RST, ACK] Seq=1 Ack=2 10 0.000201 66 a z TCP 48966 > 12389 [FIN, ACK] Seq=1 Ack=1i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0 case, and OpenSuSE 10.1 in the httpd-2.2.0 case. for grins, i compiled httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1
suggestions for what i might try next to analyze what is going on? --sk stuart kendrick fhcrc --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|