Hi Simon I know exactly what you are referring to as I have attempted to configure the same authentication (I seem to remember it was with Apache 2.2.6). Unfortunately, when I tried it, LDAPS authentication with Apache resulted in segfaults. If you have managed to get things working over plain LDAP (port 389) then you are nearly there... All you have to do is change the protocol and port and Apache should do the rest Of course you need to configure AD for the SSL/TLS encryption... http://lmgtfy.com/?q=active+directory+ldaps ________________________________ From: Simon Walter <simon.walter@xxxxxxxxxxxxxxxxxx> [mailto:Simon Walter <simon.walter@xxxxxxxxxxxxxxxxxx>] Sent: 19 November 2009 08:16 To: users@xxxxxxxxxxxxxxxx Subject: Apache/2.2.8 authenticate LDAP AD SSL or TLS - ubuntu(debian) Hi all, This is my first message to the list. Greetings. First off I'll start by saying that I've scoured the search engines and searched this list and found only bits and pieces. I'm not going to report any problems right away. My questions is: Does anyone know of a document that describes what I need to make Apache authenticate via LDAP over SSL or TLS connecting to a MS AD server? I've able to do this successfully with plaintext (no SSL or TLS). However I get warnings on my AD server saying that it is a security risk. I'm don't know much about Windows, and I could have a problem with the AD server and would like to know how I can test that. I've tried to connect to the AD server with JXplorer and LDAPExplorertool2 and have failed with SSL and TLS. I also tried using ldapsearch and got an error: "ldap_sasl_interactive_bind_s: Unknown authentication method" Then I installed the package for gssapi "libsasl2-modules-gssapi-heimdal". Now I get a different error: "SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2)" I'm not sure what types of connections MS AD supports: SSL, TLS, SASL... ??? How can I know for sure that the server side is fine? Anyway, If someone can show me a working apache config and or a document which describes what I need to do to get this setup working, I'd be very grateful. I'll reply once I've tried all your suggestions. Thanks for your help. Simon --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See < URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ______________________________________________________________________ This e-mail and any attached files are intended for the named addressee only. It contains information, which may be confidential and legally privileged and also protected by copyright. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use it, or disclose it to anyone else. If you received it in error please notify the sender immediately and then delete it from your system. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of Associated Newspapers Limited or any of its subsidiary companies. We make every effort to keep our network free from viruses. However, you do need to check this e-mail and any attachments to it for viruses as we can take no responsibility for any computer virus which may be transferred by way of this e-mail. Use of this or any other e-mail facility signifies consent to any interception we might lawfully carry out to prevent abuse of these faciliti es. Associated Newspapers Ltd. Registered Office: Northcliffe House, 2 Derry St, Kensington, London, W8 5TT. Registered No 84121 England.
|