On 1/17/07, Darren Spruell <phatbuckett@xxxxxxxxx> wrote:
When trying to authenticate clients via a remote LDAP directory (using mod_authz_ldap), we fail and the following is logged: [Wed Jan 17 14:57:14 2007] [warn] [client a.b.c.d] [32492] auth_ldap authenticate: user xxxxxxxx authentication failed; URI /ldap/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] The authentication attempt succeeds when standard LDAP is attempted, but for security we require LDAPS. There are no connectivity issues between Apache and the remote LDAPS service as we can successfully test our operations using 'openssl s_client' and ldapsearch(1) without issue.
I think I've found the problem and it related to a name mismatch between the address we had configured to connect to the LDAP server and the CN returned in the SSL certificate. I had to test using a locally-configured DNS server to spoof the name, since the FQDN did not exist in our DNS, but after changing the name it worked correctly. On this note, what would it take to get some more debugging enabled in mod_ldap around the certificate validation procedures? It would be very useful if logs would indicate an error in the server certificate validation as several variables can be out of place there; expired certificate, untrusted issuer, or CN/hostname mismatch. The same error that we were seeing misleads a lot of people (according to Google) into diagnosing the issue as an inability to complete a TCP/IP socket with the remote LDAP server, when the issue may actually be failure to complete SSL handshake. DS --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|