You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ken Bell <kb...@houston.sl.slb.com> on 2003/10/09 15:18:13 UTC
[users@httpd] Re: Problems with mod_auth_ldap and tls/ldaps
Hi Dennis
Thanks for replying
I'm very familiar with the certificate CA issue, and have a CA certificate
installed. The location is specified with the LDAPTrustedCA and
LDAPTrustedCAType directives in mod_ldap.
I've built with OpenSSL, so should need a BASE64_FILE instead of the
CERT7_DB_PATH needed by the NetScape SDK. By turning up the logging, I find
that I'm going to my LDAP server with ldaps, but the ldap server and the
Apache never strike up a complete conversation. Since the traffic is
encrypted, I can't tell what is going on, but the streams are too short to
exchange certs.
What happened to the AuthLDAPStartTLS directive that I find in some older
Apache 2.0 documentation? This used to be how to use TLS with Rudedog's
module in Apache 1.3. This was much more efficient, because it did not do
cert checking. It was originally in the mod_ldap for Apache 2.0. Has this
been abandoned?
Ken
Date: Thu, 09 Oct 2003 08:35:10 +0200
To: users@httpd.apache.org
From: Dennis Lundberg <de...@mdh.se>
Subject: Re: [users@httpd] Problems with mod_auth_ldap and tls/ldaps
Message-ID: <3F...@mdh.se>
Hi there
It is possible to do this. We have done this in a test environment on=20
Solaris a while back. Now we are in the process of putting into=20
production use. However we have run into trouble on the compile part.=20
See my post from 2003-10-03 19:28.
When we succeded we used Netscape SDK 4.1. If I recall correctly you=20
needed to create a certificate-file of sorts. You can do this by=20
connecting to your LDAPS server with Netscape Navigator 4.x, on any=20
client. Use a URL of ldaps://yourserver.com/ Then you copy the cert7.db=20
file from that client to the server. I can't remember off hand exactly=20
where to put it.
I'll get back when we have our server up and running.nd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Problems with mod_auth_ldap and tls/ldaps
Posted by Dennis Lundberg <de...@mdh.se>.
Hi Ken
I am assuming you mean OpenLDAP and not OpenSSL in your reply below.
If I recall correctly you can only use TLS when you build mod_auth_ldap
with OpenLDAP, not SSL. When using TLS I don't think that it is possible
to use ldaps: URL:s, but you can try to use ldap://yourserver.com:636/
instead. The issue of TLS also applies to your LDAP server. Does it
support TLS? We use Novell and it doesn't support TLS.
Ken Bell wrote:
> Hi Dennis
>
> Thanks for replying
>
> I'm very familiar with the certificate CA issue, and have a CA certificate
> installed. The location is specified with the LDAPTrustedCA and
> LDAPTrustedCAType directives in mod_ldap.
>
> I've built with OpenSSL, so should need a BASE64_FILE instead of the
> CERT7_DB_PATH needed by the NetScape SDK. By turning up the logging, I find
> that I'm going to my LDAP server with ldaps, but the ldap server and the
> Apache never strike up a complete conversation. Since the traffic is
> encrypted, I can't tell what is going on, but the streams are too short to
> exchange certs.
>
> What happened to the AuthLDAPStartTLS directive that I find in some older
> Apache 2.0 documentation? This used to be how to use TLS with Rudedog's
> module in Apache 1.3. This was much more efficient, because it did not do
> cert checking. It was originally in the mod_ldap for Apache 2.0. Has this
> been abandoned?
>
> Ken
>
>
> Date: Thu, 09 Oct 2003 08:35:10 +0200
> To: users@httpd.apache.org
> From: Dennis Lundberg <de...@mdh.se>
> Subject: Re: [users@httpd] Problems with mod_auth_ldap and tls/ldaps
> Message-ID: <3F...@mdh.se>
>
> Hi there
>
> It is possible to do this. We have done this in a test environment on=20
> Solaris a while back. Now we are in the process of putting into=20
> production use. However we have run into trouble on the compile part.=20
> See my post from 2003-10-03 19:28.
>
> When we succeded we used Netscape SDK 4.1. If I recall correctly you=20
> needed to create a certificate-file of sorts. You can do this by=20
> connecting to your LDAPS server with Netscape Navigator 4.x, on any=20
> client. Use a URL of ldaps://yourserver.com/ Then you copy the cert7.db=20
> file from that client to the server. I can't remember off hand exactly=20
> where to put it.
>
> I'll get back when we have our server up and running.nd
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Dennis Lundberg, Utvecklingsledare, IT-avdelningen
e-post: dennis.lundberg@mdh.se
http://www.mdh.se/personal/VisaPerson?fornamn=Dennis&efternamn=Lundberg
tel: +46-(0)21-101516, fax: +46-(0)21-101636
Mälardalens högskola, Box 883, SE-72123 Västerås, SWEDEN
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org