You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steve Finkelstein <sf...@stevefink.net> on 2007/05/24 06:23:00 UTC
[users@httpd] Apache 2.0.52 - mod_auth_ldap (ldap_simple_bind_s() failed)
Hi all,
I'm running Apache 2.0.52 with mod_auth_ldap on a CentOS 4.5 box. PAM is
properly configured to authenticate against LDAP and I can successfully
query the LDAP server.
Now when I'm trying to authenticate against LDAP with mod_auth_ldap I
receive the following in my error_log:
[Wed May 23 23:47:26 2007] [debug] mod_auth_ldap.c(308): [client
10.8.20.2] [21819] auth_ldap authenticate: using URL
ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid
[Wed May 23 23:47:26 2007] [warn] [client 10.8.20.2] [21819] auth_ldap
authenticate: user sf authentication failed; URI /proto/trunk [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]
Here's the relevant excerpt in my configs. First, since my LDAP server
is using SSL, I have the following mod_ldap directives in httpd.conf:
LDAPTrustedCA /etc/httpd/conf/ssl.crt/ca.pem
LDAPTrustedCAType BASE64_FILE
.. and just to verify the ca file:
-r--r--r-- 1 nobody root 1354 Apr 16 17:50 /etc/httpd/conf/ssl.crt/ca.pem
my virtualhost.conf has the following excerpt:
<VirtualHost *:80>
ServerName svn.foo.com
LogLevel debug
<Location />
DAV svn
SVNParentPath /opt/svn/
AuthLDAPEnabled on
AuthType Basic
AuthName "Authorized Users ONLY!"
AuthLDAPAuthoritative on
AuthLDAPURL "ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid"
require valid-user
Order mutual-failure
Allow from 10.8.12.14/32
Satisfy any
</Location>
CustomLog logs/svn-access_log common
</VirtualHost>
Thank you kindly for any insight anyone might be able to offer me.
- sf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.0.52 - mod_auth_ldap (ldap_simple_bind_s()
failed)
Posted by Steve Finkelstein <sf...@stevefink.net>.
Please disregard this. yum update decided to pull one of these on me:
drwx------ 2 root root 4096 May 19 16:27 ssl.crt
after enough greping through strace logs on apache children procs, I was
able to determine that a stupid permissions issue was the root of my
problems.
Cheers,
- sf
Steve Finkelstein wrote:
> Hi all,
>
> I'm running Apache 2.0.52 with mod_auth_ldap on a CentOS 4.5 box. PAM is
> properly configured to authenticate against LDAP and I can successfully
> query the LDAP server.
>
> Now when I'm trying to authenticate against LDAP with mod_auth_ldap I
> receive the following in my error_log:
>
> [Wed May 23 23:47:26 2007] [debug] mod_auth_ldap.c(308): [client
> 10.8.20.2] [21819] auth_ldap authenticate: using URL
> ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid
> [Wed May 23 23:47:26 2007] [warn] [client 10.8.20.2] [21819] auth_ldap
> authenticate: user sf authentication failed; URI /proto/trunk [LDAP:
> ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> Here's the relevant excerpt in my configs. First, since my LDAP server
> is using SSL, I have the following mod_ldap directives in httpd.conf:
>
> LDAPTrustedCA /etc/httpd/conf/ssl.crt/ca.pem
> LDAPTrustedCAType BASE64_FILE
>
> .. and just to verify the ca file:
>
> -r--r--r-- 1 nobody root 1354 Apr 16 17:50 /etc/httpd/conf/ssl.crt/ca.pem
>
> my virtualhost.conf has the following excerpt:
>
> <VirtualHost *:80>
> ServerName svn.foo.com
> LogLevel debug
> <Location />
> DAV svn
> SVNParentPath /opt/svn/
> AuthLDAPEnabled on
> AuthType Basic
> AuthName "Authorized Users ONLY!"
> AuthLDAPAuthoritative on
> AuthLDAPURL "ldaps://bar.foo.com/ou=staff,dc=foo,dc=com?uid"
> require valid-user
> Order mutual-failure
> Allow from 10.8.12.14/32
> Satisfy any
> </Location>
> CustomLog logs/svn-access_log common
> </VirtualHost>
>
> Thank you kindly for any insight anyone might be able to offer me.
>
> - sf
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> !DSPAM:1020,4655136625191342210631!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org