Stuart Kendrick wrote: > hi, > > i'm trying to upgrade my ldap authentication to ldaps > > i have both ldap and ldaps authentication working under apache 2.0 ... > but under apache 2.2, i only have plain ldap working > > i'm looking for tips on additional trouble-shooting methods i could try > > [...] > > and here's my apache 2.2 config. if i comment out the 'ldaps' URL and > comment in the 'ldap' URL, things work fine: > [...] > LDAPSharedCacheSize 200000 > LDAPCacheEntries 1024 > LDAPCacheTTL 600 > LDAPOpCacheEntries 1024 > LDAPOpCacheTTL 600 > LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem > LDAPTrustedMode TLS [...] > AuthLDAPURL > ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub > ?(objectClass=user) STARTTLS > # AuthLDAPURL > ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?( > objectClass=user) > Require valid-user > </Directory> > Well, which one is it ? TLS or SSL :? That's the problem... LDAP on SSL mode work on a different port. TLS connections work on the same unsecure port, except that the talk is encrypted. So, if you enabled SSL on port 12389, then: LDAPTrustedMode SSL # If you run SSL, this is optional as you'll enable this with the 'ldaps' url ... AuthLDAPURL ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user) Or, if you are doing TLS, then: LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS at the end of the ldap url ... AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user) Hope this helps... My .02... -- °(((=((===°°°(((===========================================
begin:vcard fn:Ricardo Stella n:Stella;Ricardo org:Rider University adr;dom:;;2083 Lawrenceville Rd;Lawrenceville;NJ;08648 version:2.1 end:vcard
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx