|Summary:||mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bug #41183)|
|Product:||Gentoo Linux||Reporter:||Rémi Cardona <remi>|
|Component:||[OLD] Server||Assignee:||Apache Team - Bugzilla Reports <apache-bugs>|
|Package list:||Runtime testing required:||---|
Description Rémi Cardona 2005-09-27 16:40:59 UTC
Basicaly mod_ldap in apache cannot access ssl ldap servers Here is an output from my error_log [Sun Sep 25 03:10:13 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK [Sun Sep 25 03:10:13 2005] [notice] LDAP: SSL support unavailable Everything was built with ldap and ssl support. Bug #41183 was closed about 6 months ago as LATER because things were moving in the overlay. Now that the overlay has become stable, I can see this bug wasn't resolved. (I didn't have time to check the overlay during that time ...) Last year, this was simply an if-else problem that didn't take into account that both ldap and ssl could be enabled, therefor enabling --use-ldap-ssl or something along those lines. I don't know what's wrong with the new ebuild, probably the same issue. Reproducible: Always Steps to Reproduce:
Comment 1 Brian Vargas 2005-10-06 12:59:30 UTC
It's working okay for me. Are you missing the LDAPTrustedCA directive? Apache doesn't produce a helpful error message when no CA is set, and instead defaults to simply saying that SSL is unavailable.
Comment 2 Andy Dustman 2006-06-29 17:04:41 UTC
I tried following the instructions here: http://httpd.apache.org/docs/2.0/mod/mod_ldap.html#usingssltls i.e. I converted my CA key to DER, and pointed the configuration to it, but it still wouldn't work: [Thu Jun 29 19:28:15 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 29 19:28:15 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required base64 doesn't really make sense as an option anyway: You can encode any binary data in base64. I tried doing BASE64_FILE on a base64-encode DER and that made mod_ldap happy at startup (got SSL support available), but still had errors when actually tring to authenticate: [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] This is using an ldaps:// URL which works with openldap ldapsearch. Most likely this is because the CA key is still in the wrong encoding. Looking at the mod_ldap code, only BASE64_FILE is supported with OpenLDAP. The solution seems to be: BASE64_FILE is really what openssl refers to as X509 with PEM encoding. I pointed my configuration to a .pem file and it seems to work. I think the Apache docs kind of suck on this point. 2.2 looks like it has much-improved ldaps support, including multiple CA support. Bottom line: With openldap, use LDAPTrustedCAType BASE64_FILE only, and set LDAPTrustedCA to the path to a X509 PEM file (in openssh parlance).
Comment 3 Doug Goldstein (RETIRED) 2007-03-08 15:23:31 UTC
Apache 2.0.x series is unable to talk to an OpenLDAP server over TLS. You're only choice is Apache 2.2.x or using ldaps:// + Apache 2.0.x
Comment 4 Benedikt Böhm (RETIRED) 2007-05-23 21:20:54 UTC
we can do nothing here, works like a charm with 2.2 for me (with TLS) .. please consider upgrading to 2.2
Comment 5 Rémi Cardona 2007-05-23 21:28:05 UTC
Will do, thanks anyway :)