You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/11/07 00:43:16 UTC

[Bug 42001] LINUX : Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD][Can't contact LDA

https://bz.apache.org/bugzilla/show_bug.cgi?id=42001

Hans Christian Holm <aq...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |MOVED
                 CC|                            |aqqalukholm@gmail.com
             Status|NEW                         |RESOLVED

--- Comment #6 from Hans Christian Holm <aq...@gmail.com> ---
(In reply to Venkat S from comment #0)
> I am using built in apr-util with ldap support and using built in linked lib 
> for ldap. I get this error when i use ldaps:// however the ldap:// is fine,
> pl 
> help us how can i resolve this issue
> 
> ldap_set_option failed. Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD]
> [Can't contact LDA
> P server]
> 
> I used following biniries to config http for ldap with ssl enable
> 
> (a) apr-1.2.8.tar
> (b)apr-util-1.2.8.tar
> (c)openldap-2.3.34.tar
> (d)openssl-0.9.8e.tar
> (e)openldap-2.3.34.tar
> (f) httpd-2.2.4.tar

(In reply to Daniel A. from comment #1)
> I can confirm this bug, using FreeBSD, openldap24, and otherwise similar
> circumstances.

(In reply to Eric Covener from comment #2)
> can you confirm which SSL toolkit your ldap binaries are linked with via e.g
> ldd?

(In reply to Daniel A. from comment #3)
> (In reply to comment #2)
> > can you confirm which SSL toolkit your ldap binaries are linked with via e.g
> > ldd?
> 
> As the original submitter also said, everything here works perfectly as long
> as i remove the "s" from "ldaps://". 
> There is no timeout, the failures are immediate.
> SSL HTTP connections initiated TO the web server are fine too. 
> 
> I'm gonna try and see if it'll work with a newer openssl from ports, but
> here's what I've been using so far:
> 
> openldap-client-2.4.21 Open s
> It's linked to the local libs, 
> /usr/local/libexec/apache22/mod_ldap.so:
> 	libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x800b0c000)
> 	libssl.so.5 => /usr/lib/libssl.so.5 (0x800c4a000)
> 	libcrypto.so.5 => /lib/libcrypto.so.5 (0x800d94000)
> 	liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x801026000)
> 	libc.so.7 => /lib/libc.so.7 (0x800633000)
> 
> 7.0-RELEASE-p3 FreeBSD...
> # httpd -v 
> Server version: Apache/2.2.14 (FreeBSD)
> Server built:   Feb  1 2010 15:06:58
> # pkg_info|grep ldap
> openldap-client-2.4.21 Open source LDAP client implementation
> # openssl version
> OpenSSL 0.9.8e 23 Feb 2007
> 
> 
> relevant snips from httpd.conf:
> #Load LDAP certificate
> LDAPTrustedGlobalCert CA_BASE64 /usr/local/etc/apache22/ldap_cert/<AD
> Hostname>.CA.pem
> 
> AuthName "Nagios Access"
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> 
> AuthLDAPURL "ldap://<hostname>:3268
> <hostname>:3268/?sAMAccountName?sub?(objectClass=*)"
> #AuthLDAPURL "ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*)"
> #AuthLDAPURL "ldaps://<hostname>:3269/?sAMAccountName?sub?(objectClass=*)"
> 
> AuthLDAPBindDN "CN=<cn>,OU=<ou>,OU=<ou>,OU=<ou>,DC=<dc>,DC=<dc>"
> AuthLDAPBindPassword <pass>
> Require valid-user
> 
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [debug] mod_authnz_ldap.c(377): [client
> 192.168.64.101] [64980] auth_ldap authenticate: using URL
> ldaps://<hostname>/?sAMAccountName?sub?(objectClass=*), referer:
> https://nix01/side.html
> [Thu Feb 04 10:31:05 2010] [warn] [client 192.168.89.101] [64980] auth_ldap
> authenticate: user dak authentication failed; URI /nagios/cgi-bin/status.cgi
> [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], referer:
> https://nix01/side.html

(In reply to Daniel A. from comment #4)
> Ok, now i've tried with OpenSSL 0.9.8e and it's still broken, exactly the
> same way as before.

(In reply to Daniel A. from comment #5)
> Oops, sorry, I meant to say OpenSSL 0.9.8l

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org