Re: [users@httpd] ldap to ldaps under httpd-2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Stuart Kendrick wrote:
> hi,
>
> i'm trying to upgrade my ldap authentication to ldaps
>
> i have both ldap and ldaps authentication working under apache 2.0 ...
> but under apache 2.2, i only have plain ldap working
>
> i'm looking for tips on additional trouble-shooting methods i could try
>
>
[...]
>
> and here's my apache 2.2 config.  if i comment out the 'ldaps' URL and
> comment in the 'ldap' URL, things work fine:
> [...]
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
> LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
> LDAPTrustedMode TLS
[...]
>    AuthLDAPURL
> ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
> ?(objectClass=user) STARTTLS
> #   AuthLDAPURL
> ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
> objectClass=user)
>    Require valid-user
> </Directory>
>

Well, which one is it ?  TLS or SSL :?  That's the problem...  LDAP on
SSL mode work on a different port.  TLS connections work on the same
unsecure port, except that the talk is encrypted.

So, if you enabled SSL on port 12389, then:

LDAPTrustedMode SSL # If you run SSL, this is optional as you'll enable
this with the 'ldaps' url
...
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)

Or, if you are doing TLS, then:

LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS at
the end of the ldap url
...
AuthLDAPURL
ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)

Hope this helps...

My .02...

-- 

°(((=((===°°°(((===========================================

begin:vcard
fn:Ricardo Stella
n:Stella;Ricardo
org:Rider University
adr;dom:;;2083 Lawrenceville Rd;Lawrenceville;NJ;08648
version:2.1
end:vcard


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux