When trying to authenticate clients via a remote LDAP directory (using mod_authz_ldap), we fail and the following is logged: [Wed Jan 17 14:57:14 2007] [warn] [client a.b.c.d] [32492] auth_ldap authenticate: user xxxxxxxx authentication failed; URI /ldap/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] The authentication attempt succeeds when standard LDAP is attempted, but for security we require LDAPS. There are no connectivity issues between Apache and the remote LDAPS service as we can successfully test our operations using 'openssl s_client' and ldapsearch(1) without issue. I've seen this error quite a bit on the web and looked into some suggested solutions but still no love. It strongly appears to be related to the certificate we are using in LDAPTrustedGlobalCert, which was retrieved from the LDAP server using an SSL connection to dump it out. The certificate is self signed, so I don't know if the SSL connection won't initialize properly because of a hostname/CN mismatch or what exactly. The date on the certificate is valid. We're using: Apache/2.2.3 on Fedora Core 6. All components are installed via binary RPMs. Apache LDAP config details: LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/directory.pem <Location /ldap> AuthType Basic AuthName "LDAP Authentication" AuthBasicProvider ldap AuthLDAPURL ldaps://192.168.1.100:636/ou=internal,o=mydir?uid SSL AuthLDAPBindDN cn=admin,ou=applicationusers,o=mydir AuthLDAPBindPassword xxxxxxxx AuthzLDAPAuthoritative Off AuthGroupFile /etc/httpd/auth/htgroups require group LDAP </Location> Startup notices: [Wed Jan 17 16:01:39 2007] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t:s0 [Wed Jan 17 16:01:39 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Jan 17 16:01:39 2007] [info] Init: Seeding PRNG with 256 bytes of entropy [Wed Jan 17 16:01:39 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary DH parameters (512/1024 bits) [Wed Jan 17 16:01:40 2007] [info] Init: Initializing (virtual) servers for SSL [Wed Jan 17 16:01:40 2007] [info] Server: Apache/2.2.3, Interface: mod_ssl/2.2.3, Library: OpenSSL/0.9.8b [Wed Jan 17 16:01:40 2007] [notice] Digest: generating secret for digest authentication ... [Wed Jan 17 16:01:40 2007] [notice] Digest: done [Wed Jan 17 16:01:40 2007] [debug] util_ldap.c(1929): LDAP merging Shared Cache conf: shm=0x8c59368 rmm=0x8c59398 for VHOST: mysite.mydomain.tld [Wed Jan 17 16:01:40 2007] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Wed Jan 17 16:01:40 2007] [info] LDAP: SSL support available [Wed Jan 17 16:01:40 2007] [info] Init: Seeding PRNG with 256 bytes of entropy [Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Wed Jan 17 16:01:40 2007] [info] Init: Generating temporary DH parameters (512/1024 bits) [Wed Jan 17 16:01:40 2007] [info] Shared memory session cache initialised [Wed Jan 17 16:01:40 2007] [info] Init: Initializing (virtual) servers for SSL [Wed Jan 17 16:01:40 2007] [info] Server: Apache/2.2.3, Interface: mod_ssl/2.2.3, Library: OpenSSL/0.9.8b [Wed Jan 17 16:01:40 2007] [notice] Apache/2.2.3 (Fedora) configured -- resuming normal operations [Wed Jan 17 16:01:40 2007] [info] Server built: Sep 11 2006 09:43:05 -- Darren Spruell phatbuckett@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|