RE: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Message d'origine-----
> De : Sandro Tosi [mailto:sandro.tosi@xxxxxxxxxxx]
> Envoyé : vendredi 13 novembre 2009 16:49
> À : users@xxxxxxxxxxxxxxxx
> Objet : Re:  LDAP: ldap_set_option failed. Could not set
> LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
> 
> Just to follow this up for people that might have the same problem: it
> turns out it was because
> 
> - php was *not* compiled with ldap options
> - php was loaded *before* mod_ldap and modp_authnz_ldap
> 
> A simple solution was to import mod_{authnz,}_ldap before php. The right
> solution though is to add
> 
>   --with-ldap-sasl --with-ldap
> 
> configure options to php. After that, in any order the above modules are
> imported, apache and LDAP can communicate and authenticate users.
> 
> Thanks,
> Sandro
> 
> Sandro Tosi wrote:
> > Hello,
> > we are enabling LDAP auth on our apache stack. Starting from
> > apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
> >
> > The configure line we used for apache is:
> >
> > $ ./configure --prefix=/usr/local/apache --mandir=/path/to/man
> > --with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all
> > --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
> >
> > and the one for php is:
> >
> > ./configure --prefix=/usr/local/php --mandir=/usr/local/php/man
> > --with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs
> > --with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash
> > --with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib
> > --with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt
> > --enable-shared=max --enable-mbstring --enable-inline-optimization
> > --enable-magic-quotes --enable-sigchild --enable-soap
> > --enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib
> > --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
> >
> > Build and install went fine.
> >
> > We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
> > into /etc/openldap/ldap.conf .
> >
> > And now starts the problem :( We configured httpd.conf to contain
> >
> >   LoadModule ldap_module modules/mod_ldap.so
> >   LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> >   ...
> >   LDAPVerifyServerCert Off
> >
> > Then we set a dir with .htaccess similar to this:
> >
> >   AuthType Basic
> >   AuthName "<name>"
> >   AuthBasicProvider ldap
> >   AuthzLDAPAuthoritative Off
> >   AuthLDAPBindDN uid=<uid>,ou=<ou>,ou=<ou>,dc=<dc>,dc=<dc>
> >   AuthLDAPBindPassword <pwd>
> >   AuthLDAPURL ldaps://<address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
> >   require valid-user
> >
> > If I then try to access a page under that .htaccess, then I'm prompted
> > for username and password, but then I'm redirected to a 500 page and in
> > error.log I can read
> >
> > [Mon Nov 02 10:59:38 2009] [warn] [client 127.0.0.1] [10522] auth_ldap
> > authenticate: user stosi authentication failed; URI /index.html [LDAP:
> > ldap_set_option failed. Could not set LDAP_OPT_X_TLS to
> > LDAP_OPT_X_TLS_HARD][Operations error]
> >
> > We are stuck in this situation since days :( we searched the internet
> > for the above error message, but except for a couple of posts on
> > issues.apache.org (that don't help) there is nothing else but complains
> > about how obscure that error is.
> >
> > I think there's something related to SSL and how recent apache (it seems
> > from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
> > httpd.conf and set explicitly "SSLEngine On" where needed (while before
> > it was a bit implicitly).
> >
> > I appreciate any help, cause we are out of any idea on how to move on.
> >
> > Regards,
> > Sandro
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Thanks for the feedback.

Emmanuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux