Apache httpd 2.2.8 not reading LDAPTrustedGlobalCert files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm having trouble getting Apache httpd 2.2.8 to read the LDAPTrustedGlobalCert files I specify.

Platform:
 Apache httpd 2.2.8
 built against OpenLDAP 2.3.39, OpenSSL 0.9.8g, expat 2.0.1
 MPM: pre-fork
 Solaris 10 on SPARC

httpd.conf:
...
<IfModule ldap_module>
  LDAPTrustedGlobalCert CA_BASE64 /var/local/etc/certs/foo
  LDAPVerifyServerCert on
...
</IfModule>

truss of httpd parent and all children show that at startup, httpd parent
does a stat64(/var/local/etc/certs/foo) which returns 0.   Good.
But the truss shows that at no time (at startup or later when talking to an LDAP server)
does the parent or any child httpd try to open() the file /var/local/etc/certs/foo.
So (not surprisingly), attempts by httpd to verify certificates issued by
the CA whose cert is in 'foo' fail.

Any ideas what I'm doing wrong?

--

Details:

Authenticating using LDAP in the clear works fine.

Authenticating using LDAP over SSLv2 works fine, if I change LDAPVerifyServerCert to off.
But if fails if I turn on LDAPVerifyServerCert.

When it fails, httpd (at debug level) logs that  "LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server".
But looking at a packet capture makes it clear that after the LDAP server presents its certificate
to httpd, httpd responds to the LDAP server with an "Unknown CA" error.

Permissions on the file var/local/etc/certs/foo and enclosing dirs are fine for the httpd user.

httpd logs at startup: "util_ldap.c(1597): LDAP: SSL trusted global cert - /var/local/etc/certs/foo (type CA_BASE64)".
This seems fine.

mod_info handler shows that mod_ldap was configured with "LDAPTrustedGlobalCert CA_BASE64 /var/local/etc/certs/foo".
Again, this seems fine.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux