Basicaly mod_ldap in apache cannot access ssl ldap servers
Here is an output from my error_log
[Sun Sep 25 03:10:13 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Sep 25 03:10:13 2005] [notice] LDAP: SSL support unavailable
Everything was built with ldap and ssl support. Bug #41183 was closed about 6
months ago as LATER because things were moving in the overlay. Now that the
overlay has become stable, I can see this bug wasn't resolved. (I didn't have
time to check the overlay during that time ...)
Last year, this was simply an if-else problem that didn't take into account that
both ldap and ssl could be enabled, therefor enabling --use-ldap-ssl or
something along those lines. I don't know what's wrong with the new ebuild,
probably the same issue.
Steps to Reproduce:
It's working okay for me. Are you missing the LDAPTrustedCA directive? Apache
doesn't produce a helpful error message when no CA is set, and instead defaults
to simply saying that SSL is unavailable.
I tried following the instructions here:
i.e. I converted my CA key to DER, and pointed the configuration to it, but it still wouldn't work:
[Thu Jun 29 19:28:15 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Jun 29 19:28:15 2006] [crit] LDAP: Invalid LDAPTrustedCAType directive - BASE64_FILE type required
base64 doesn't really make sense as an option anyway: You can encode any binary data in base64. I tried doing BASE64_FILE on a base64-encode DER and that made mod_ldap happy at startup (got SSL support available), but still had errors when actually tring to authenticate:
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
This is using an ldaps:// URL which works with openldap ldapsearch. Most likely this is because the CA key is still in the wrong encoding. Looking at the mod_ldap code, only BASE64_FILE is supported with OpenLDAP.
The solution seems to be: BASE64_FILE is really what openssl refers to as X509 with PEM encoding. I pointed my configuration to a .pem file and it seems to work.
I think the Apache docs kind of suck on this point. 2.2 looks like it has much-improved ldaps support, including multiple CA support.
Bottom line: With openldap, use LDAPTrustedCAType BASE64_FILE only, and set LDAPTrustedCA to the path to a X509 PEM file (in openssh parlance).
Apache 2.0.x series is unable to talk to an OpenLDAP server over TLS. You're only choice is Apache 2.2.x or using ldaps:// + Apache 2.0.x
we can do nothing here, works like a charm with 2.2 for me (with TLS) .. please consider upgrading to 2.2
Will do, thanks anyway :)