You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Steve Finkelstein <sf...@stevefink.net> on 2007/05/24 06:23:00 UTC

[users@httpd] Apache 2.0.52 - mod_auth_ldap (ldap_simple_bind_s() failed)

Hi all,

I'm running Apache 2.0.52 with mod_auth_ldap on a CentOS 4.5 box. PAM is
properly configured to authenticate against LDAP and I can successfully
query the LDAP server.

Now when I'm trying to authenticate against LDAP with mod_auth_ldap I
receive the following in my error_log:

[Wed May 23 23:47:26 2007] [debug] mod_auth_ldap.c(308): [client
10.8.20.2] [21819] auth_ldap authenticate: using URL
ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid
[Wed May 23 23:47:26 2007] [warn] [client 10.8.20.2] [21819] auth_ldap
authenticate: user sf authentication failed; URI /proto/trunk [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

Here's the relevant excerpt in my configs. First, since my LDAP server
is using SSL, I have the following mod_ldap directives in httpd.conf:

LDAPTrustedCA /etc/httpd/conf/ssl.crt/ca.pem
LDAPTrustedCAType BASE64_FILE

.. and just to verify the ca file:

-r--r--r--  1 nobody root 1354 Apr 16 17:50 /etc/httpd/conf/ssl.crt/ca.pem

my virtualhost.conf has the following excerpt:

<VirtualHost *:80>
   ServerName svn.foo.com
   LogLevel debug
   <Location />
    DAV svn
    SVNParentPath /opt/svn/
    AuthLDAPEnabled on
    AuthType Basic
    AuthName "Authorized Users ONLY!"
    AuthLDAPAuthoritative on
    AuthLDAPURL "ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid"
    require valid-user
    Order mutual-failure
    Allow from 10.8.12.14/32
    Satisfy any
   </Location>
CustomLog logs/svn-access_log common
</VirtualHost>

Thank you kindly for any insight anyone might be able to offer me.

- sf

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache 2.0.52 - mod_auth_ldap (ldap_simple_bind_s() failed)

Posted by Steve Finkelstein <sf...@stevefink.net>.

Please disregard this. yum update decided to pull one of these on me:

drwx------  2 root root 4096 May 19 16:27 ssl.crt

after enough greping through strace logs on apache children procs, I was
able to determine that a stupid permissions issue was the root of my
problems.

Cheers,

- sf

Steve Finkelstein wrote:
> Hi all,
> 
> I'm running Apache 2.0.52 with mod_auth_ldap on a CentOS 4.5 box. PAM is
> properly configured to authenticate against LDAP and I can successfully
> query the LDAP server.
> 
> Now when I'm trying to authenticate against LDAP with mod_auth_ldap I
> receive the following in my error_log:
> 
> [Wed May 23 23:47:26 2007] [debug] mod_auth_ldap.c(308): [client
> 10.8.20.2] [21819] auth_ldap authenticate: using URL
> ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid
> [Wed May 23 23:47:26 2007] [warn] [client 10.8.20.2] [21819] auth_ldap
> authenticate: user sf authentication failed; URI /proto/trunk [LDAP:
> ldap_simple_bind_s() failed][Can't contact LDAP server]
> 
> Here's the relevant excerpt in my configs. First, since my LDAP server
> is using SSL, I have the following mod_ldap directives in httpd.conf:
> 
> LDAPTrustedCA /etc/httpd/conf/ssl.crt/ca.pem
> LDAPTrustedCAType BASE64_FILE
> 
> .. and just to verify the ca file:
> 
> -r--r--r--  1 nobody root 1354 Apr 16 17:50 /etc/httpd/conf/ssl.crt/ca.pem
> 
> my virtualhost.conf has the following excerpt:
> 
> <VirtualHost *:80>
>    ServerName svn.foo.com
>    LogLevel debug
>    <Location />
>     DAV svn
>     SVNParentPath /opt/svn/
>     AuthLDAPEnabled on
>     AuthType Basic
>     AuthName "Authorized Users ONLY!"
>     AuthLDAPAuthoritative on
>     AuthLDAPURL "ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid"
>     require valid-user
>     Order mutual-failure
>     Allow from 10.8.12.14/32
>     Satisfy any
>    </Location>
> CustomLog logs/svn-access_log common
> </VirtualHost>
> 
> Thank you kindly for any insight anyone might be able to offer me.
> 
> - sf
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> !DSPAM:1020,4655136625191342210631!
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org