Summary: | mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bug #41183) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Rémi Cardona (RETIRED) <remi> |
Component: | [OLD] Server | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
Status: | RESOLVED CANTFIX | ||
Severity: | major | CC: | farcepest |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Rémi Cardona (RETIRED)
2005-09-27 16:40:59 UTC
It's working okay for me. Are you missing the LDAPTrustedCA directive? Apache doesn't produce a helpful error message when no CA is set, and instead defaults to simply saying that SSL is unavailable. I tried following the instructions here: http://httpd.apache.org/docs/2.0/mod/mod_ldap.html#usingssltls i.e. I converted my CA key to DER, and pointed the configuration to it, but it still wouldn't work: [Thu Jun 29 19:28:15 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 29 19:28:15 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required base64 doesn't really make sense as an option anyway: You can encode any binary data in base64. I tried doing BASE64_FILE on a base64-encode DER and that made mod_ldap happy at startup (got SSL support available), but still had errors when actually tring to authenticate: [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] This is using an ldaps:// URL which works with openldap ldapsearch. Most likely this is because the CA key is still in the wrong encoding. Looking at the mod_ldap code, only BASE64_FILE is supported with OpenLDAP. The solution seems to be: BASE64_FILE is really what openssl refers to as X509 with PEM encoding. I pointed my configuration to a .pem file and it seems to work. I think the Apache docs kind of suck on this point. 2.2 looks like it has much-improved ldaps support, including multiple CA support. Bottom line: With openldap, use LDAPTrustedCAType BASE64_FILE only, and set LDAPTrustedCA to the path to a X509 PEM file (in openssh parlance). Apache 2.0.x series is unable to talk to an OpenLDAP server over TLS. You're only choice is Apache 2.2.x or using ldaps:// + Apache 2.0.x we can do nothing here, works like a charm with 2.2 for me (with TLS) .. please consider upgrading to 2.2 Will do, thanks anyway :) |