[users@httpd] ldap to ldaps under httpd-2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi,

i'm trying to upgrade my ldap authentication to ldaps

i have both ldap and ldaps authentication working under apache 2.0 ... but under apache 2.2, i only have plain ldap working

i'm looking for tips on additional trouble-shooting methods i could try

here's my apache 2.0 config. this is the one which works, in both ldap and ldaps mode. notice the use of the non-standard port
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem
LDAPTrustedCAType BASE64_FILE
[...]
<Directory "/srv/www/htdocs/soma/">
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 10.1.
  SSLRequireSSL
  AuthName Soma
  AuthType Basic
  AuthLDAPBindDN "foo@xxxxxxxxx"
  AuthLDAPBindPassword passwd-for-foo
  AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
  # ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
  Require valid-user
</Directory>


and here's my apache 2.2 config. if i comment out the 'ldaps' URL and comment in the 'ldap' URL, things work fine:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
[...]
<Directory "/srv/www/htdocs/soma/">
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 10.1.
   AuthName Soma
   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative Off
   AuthLDAPBindDN "foo@xxxxxxxxx"
   AuthLDAPBindPassword passwd-for-foo
AuthLDAPURL ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS
#   AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
objectClass=user)
   Require valid-user
</Directory>

when it fails, i see the following in syslog:

Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738] auth_ldap authenticate: user skendric authentication failed; URI /soma [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

in a packet trace, i see the following, repeated a handful of times. [i hacked the Source and Destination IP address columns, replacing the actual IP addresses with 'a', the address of my apache server, and 'z' the address of my LDAP server]. basically, the apache server just establishes a TCP connection (SYN, SYN, ACK) ... and then, without attempting anything, tears it down ... and then repeats a handful of times.

No.  Time   By  Source Dest Prot Info
 1 0.000000 74  a      z    TCP  48965 > 12389 [SYN, ECN, CWR] Seq=0
 2 0.000351 78  z      a    TCP  12389 > 48965 [SYN, ACK] Seq=0 Ack=1
 3 0.000018 66  a      z    TCP  48965 > 12389 [ACK] Seq=1 Ack=1
 4 0.000780 66  a      z    TCP  48965 > 12389 [FIN, ACK] Seq=1 Ack=1
 5 0.000122 74  a      z    TCP  48966 > 12389 [SYN, ECN, CWR] Seq=0
 6 0.000312 78  z      a    TCP  12389 > 48966 [SYN, ACK] Seq=0 Ack=1
 7 0.000014 66  a      z    TCP  48966 > 12389 [ACK] Seq=1 Ack=1
 8 0.000004 66  z      a    TCP  12389 > 48965 [ACK] Seq=1 Ack=2
 9 0.000084 60  z      a    TCP  12389 > 48965 [RST, ACK] Seq=1 Ack=2
10 0.000201 66  a      z    TCP  48966 > 12389 [FIN, ACK] Seq=1 Ack=1

i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0 case, and OpenSuSE 10.1 in the httpd-2.2.0 case. for grins, i compiled httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1

suggestions for what i might try next to analyze what is going on?

--sk

stuart kendrick
fhcrc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux