mod_ldap rejecting apparently valid server certificate for secure ldap against active directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a couple of apache web server installations that have been unable
to connect to an Active Directory server after its certificate was
renewed.  The two installations I attempted to use were versions 2.0.59
and 2.2.8 both installed on Windows (Win2003 Server and WinXPSP2,
respectively).  Prior to the certificate renewal, the 2.0.59
installation worked without issue.  Since I don't control the AD server,
I am not certain of the exact procedure used to renew the certificate.
I was told that the procedure used was Microsoft's recommended
procedure.  I also know that both the server certificate and the root
certificate had to be renewed.  Finally, WebSphere Application Server
running on an iSeries machine and a WinXP machine was able to use the
new certificate to establish a secure connection.  (Hence, the comment
that the certificate was apparently valid.)

I tried turning on debug logs in Apache but found nothing that indicated
the reason the certificate was being rejected.  The regular error logs
merely said that the LDAP server was down or unavailable depending on
which Apache installation.  Wireshark logs indicated that the client was
killing the connection immediately after the server sent its
certificate.  I went through that certificate and it appeared to match
perfectly with the certificate I saved from the AD server.  Later, I
attempted to connect using a version 2.2.4 installation on an Ubuntu
7.10 box.  The Wireshark logs there indicated that it was the server
that was killing the connection.  The owners of the AD server finally
reissued the root certificate and the original Apache configurations
worked without a problem.  At this point, we have something working but
we would very much like to know what happened and why.  Can anyone shed
some light on this?

Thank you for your time,
Paul Scheible

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux