FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

LinkBack Thread Tools
Old 01-31-2011, 07:02 PM
Ldap Tester
Default httpd cannot connect via TLS to LDAP server after upgrade to fedora 14

After upgrading a machine from fedora 13 to fedora 14 (with all
updates), I was suddenly unable to get its httpd to authenticate
with my LDAP servers.* After connecting my browser to the web server
with https, and typing in my username and password,

I get an Internal Server Error response.
My configuration is:

LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/ca-bundle.crt
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.asc
<Directory /var/www/html/ssl>

** AuthType Basic
** AuthName "User Login"
** AuthBasicProvider ldap
** AuthLDAPURL "ldap://serv1.foo.org serv2.foo.org/dc=foo,dc=org" TLS

** AuthzLDAPAuthoritative off
** require valid-user
** SSLOptions +StrictRequire
** SSLRequireSSL

The httpd debugging log shows:
auth_ldap authenticate: user XXXX authentication failed;

URI /ssl/staff/index.shtml
[LDAP: ldap_start_tls_s() failed][Connect error]

Changing AuthLDAPURL to use SSL instead of TLS also fails but with:
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

tcpdump shows that the httpd client connects to the LDAP server,
and is sent:
Start TLSrequest accepted Server willing to negotiate SSL
but no certificate info is exchanged and the client quickly closes
the connection.

Changing AuthLDAPURL to use NONE makes it connect successfully.

serv1 uses a cert purchased from GoDaddy,
and serv2 uses a self signed cert
(which is /etc/openldap/cacerts/cacert.asc).
Both servers are 389-ds.

Both certs mentioned in LDAPTrustedGlobalCert are valid and world
readable.* ldapsearch is able to connect to both servers with TLS.

On another machine with the same httpd configuration, but still at
fedora 13, httpd is able to connect securely even

without the LDAPTrustedGlobalCert lines.

As a side note, after upgrading to fedora 14, I had to add
tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt
to /etc/nss_ldap.conf and /etc/pam_ldap.conf
and also add

TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
to /etc/openldap/ldap.conf
in order to get those to work.
Under fedora 13, everything worked without those lines.

I don't know if this is a problem with httpd's mod_authnz_ldap

or its mod_ldap or with openldap, or just a configuration mistake
on my part, but it used to work before the upgrade.
I have searched all over for an answer to this problem
because I can't believe that I am the only one having it,

but I have found nothing.
I welcome any ideas.

users mailing list
To unsubscribe or change subscription options:
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Thread Tools

All times are GMT. The time now is 11:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org