107460 – mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bug #41183)

Bug 107460 - mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bug #41183)

Summary: mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bu...

Status:	RESOLVED CANTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	x86 Linux

Importance:	High major (vote)
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-09-27 16:40 UTC by Rémi Cardona (RETIRED)
Modified:	2007-05-23 21:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rémi Cardona (RETIRED) gentoo-dev

2005-09-27 16:40:59 UTC

Basicaly mod_ldap in apache cannot access ssl ldap servers

Here is an output from my error_log

[Sun Sep 25 03:10:13 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Sep 25 03:10:13 2005] [notice] LDAP: SSL support unavailable

Everything was built with ldap and ssl support. Bug #41183 was closed about 6
months ago as LATER because things were moving in the overlay. Now that the
overlay has become stable, I can see this bug wasn't resolved. (I didn't have
time to check the overlay during that time ...)

Last year, this was simply an if-else problem that didn't take into account that
both ldap and ssl could be enabled, therefor enabling --use-ldap-ssl or
something along those lines. I don't know what's wrong with the new ebuild,
probably the same issue.



Reproducible: Always
Steps to Reproduce:

Comment 1 Brian Vargas 2005-10-06 12:59:30 UTC

It's working okay for me.  Are you missing the LDAPTrustedCA directive?  Apache
doesn't produce a helpful error message when no CA is set, and instead defaults
to simply saying that SSL is unavailable.

Comment 2 Andy Dustman 2006-06-29 17:04:41 UTC

I tried following the instructions here:

http://httpd.apache.org/docs/2.0/mod/mod_ldap.html#usingssltls

i.e. I converted my CA key to DER, and pointed the configuration to it, but it still wouldn't work:

[Thu Jun 29 19:28:15 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jun 29 19:28:15 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required

base64 doesn't really make sense as an option anyway: You can encode any binary data in base64. I tried doing BASE64_FILE on a base64-encode DER and that made mod_ldap happy at startup (got SSL support available), but still had errors when actually tring to authenticate:

[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

This is using an ldaps:// URL which works with openldap ldapsearch. Most likely this is because the CA key is still in the wrong encoding. Looking at the mod_ldap code, only BASE64_FILE is supported with OpenLDAP.

The solution seems to be: BASE64_FILE is really what openssl refers to as X509 with PEM encoding. I pointed my configuration to a .pem file and it seems to work.

I think the Apache docs kind of suck on this point. 2.2 looks like it has much-improved ldaps support, including multiple CA support.

Bottom line: With openldap, use LDAPTrustedCAType BASE64_FILE only, and set LDAPTrustedCA to the path to a X509 PEM file (in openssh parlance).

Comment 3 Doug Goldstein (RETIRED) gentoo-dev

2007-03-08 15:23:31 UTC

Apache 2.0.x series is unable to talk to an OpenLDAP server over TLS. You're only choice is Apache 2.2.x or using ldaps:// + Apache 2.0.x

Comment 4 Benedikt Böhm (RETIRED) gentoo-dev

2007-05-23 21:20:54 UTC

we can do nothing here, works like a charm with 2.2 for me (with TLS) .. please consider upgrading to 2.2

Comment 5 Rémi Cardona (RETIRED) gentoo-dev

2007-05-23 21:28:05 UTC

Will do, thanks anyway :)