Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 107460

Summary: mod_ldap unable to use ssl ldap servers on apache-2.0.54-r31 (follow up on bug #41183)
Product: Gentoo Linux Reporter: Rémi Cardona <remi>
Component: [OLD] ServerAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Severity: major CC: farcepest
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Package list:
Runtime testing required: ---

Description Rémi Cardona gentoo-dev 2005-09-27 16:40:59 UTC
Basicaly mod_ldap in apache cannot access ssl ldap servers

Here is an output from my error_log

[Sun Sep 25 03:10:13 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Sep 25 03:10:13 2005] [notice] LDAP: SSL support unavailable

Everything was built with ldap and ssl support. Bug #41183 was closed about 6
months ago as LATER because things were moving in the overlay. Now that the
overlay has become stable, I can see this bug wasn't resolved. (I didn't have
time to check the overlay during that time ...)

Last year, this was simply an if-else problem that didn't take into account that
both ldap and ssl could be enabled, therefor enabling --use-ldap-ssl or
something along those lines. I don't know what's wrong with the new ebuild,
probably the same issue.

Reproducible: Always
Steps to Reproduce:
Comment 1 Brian Vargas 2005-10-06 12:59:30 UTC
It's working okay for me.  Are you missing the LDAPTrustedCA directive?  Apache
doesn't produce a helpful error message when no CA is set, and instead defaults
to simply saying that SSL is unavailable.
Comment 2 Andy Dustman 2006-06-29 17:04:41 UTC
I tried following the instructions here:

i.e. I converted my CA key to DER, and pointed the configuration to it, but it still wouldn't work:

[Thu Jun 29 19:28:15 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jun 29 19:28:15 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required

base64 doesn't really make sense as an option anyway: You can encode any binary data in base64. I tried doing BASE64_FILE on a base64-encode DER and that made mod_ldap happy at startup (got SSL support available), but still had errors when actually tring to authenticate:

[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

This is using an ldaps:// URL which works with openldap ldapsearch. Most likely this is because the CA key is still in the wrong encoding. Looking at the mod_ldap code, only BASE64_FILE is supported with OpenLDAP.

The solution seems to be: BASE64_FILE is really what openssl refers to as X509 with PEM encoding. I pointed my configuration to a .pem file and it seems to work.

I think the Apache docs kind of suck on this point. 2.2 looks like it has much-improved ldaps support, including multiple CA support.

Bottom line: With openldap, use LDAPTrustedCAType BASE64_FILE only, and set LDAPTrustedCA to the path to a X509 PEM file (in openssh parlance).
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2007-03-08 15:23:31 UTC
Apache 2.0.x series is unable to talk to an OpenLDAP server over TLS. You're only choice is Apache 2.2.x or using ldaps:// + Apache 2.0.x
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2007-05-23 21:20:54 UTC
we can do nothing here, works like a charm with 2.2 for me (with TLS) .. please consider upgrading to 2.2
Comment 5 Rémi Cardona gentoo-dev 2007-05-23 21:28:05 UTC
Will do, thanks anyway :)