httpd cannot connect via TLS to LDAP server after upgrade to fedora 14
After upgrading a machine from fedora 13 to fedora 14 (with all
updates), I was suddenly unable to get its httpd to authenticate
with my LDAP servers.* After connecting my browser to the web server
with https, and typing in my username and password,
I get an Internal Server Error response.
My configuration is:
The httpd debugging log shows:
auth_ldap authenticate: user XXXX authentication failed;
[LDAP: ldap_start_tls_s() failed][Connect error]
Changing AuthLDAPURL to use SSL instead of TLS also fails but with:
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
tcpdump shows that the httpd client connects to the LDAP server,
and is sent:
Start TLSrequest accepted Server willing to negotiate SSL
but no certificate info is exchanged and the client quickly closes
Changing AuthLDAPURL to use NONE makes it connect successfully.
serv1 uses a cert purchased from GoDaddy,
and serv2 uses a self signed cert
(which is /etc/openldap/cacerts/cacert.asc).
Both servers are 389-ds.
Both certs mentioned in LDAPTrustedGlobalCert are valid and world
readable.* ldapsearch is able to connect to both servers with TLS.
On another machine with the same httpd configuration, but still at
fedora 13, httpd is able to connect securely even
without the LDAPTrustedGlobalCert lines.
As a side note, after upgrading to fedora 14, I had to add
to /etc/nss_ldap.conf and /etc/pam_ldap.conf
and also add
in order to get those to work.
Under fedora 13, everything worked without those lines.
I don't know if this is a problem with httpd's mod_authnz_ldap
or its mod_ldap or with openldap, or just a configuration mistake
on my part, but it used to work before the upgrade.
I have searched all over for an answer to this problem
because I can't believe that I am the only one having it,
but I have found nothing.
I welcome any ideas.
users mailing list
To unsubscribe or change subscription options: