You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Brent Kearney <br...@birs.pims.math.ca> on 2003/12/16 19:53:28 UTC

[users@httpd] auth_ldap and StartTLS

Hello,

I'm running Apache2.0 2.0.48, compiled with:

--enable-ldap --enable-auth-ldap --enable-ssl --with-ssl=/opt/ssl --with-apr=/opt --with-apr-util=/opt

(plus other options). HTTPS works fine, however I can't seem to bind
to my directory server, OpenLDAP 2.1.23, using startls.  During the 
"./configure" stage of the apr-utils build, I noticed that it found
my ldap files, and also found that it supports startls.

There is mention in the Apache2 documentation about TLS, but it is
a little vague; there is no mention of how to specify the TLS_CERT
or KEY file, for example.  There is only the LDAPTrustedCA setting,
which I set to my RSA CA certificate that was used for all of my 
self-signed RSA certificates and keys.  With all other LDAP clients 
that connect using StartTLS, the CERT and KEY files need to be 
specified.  I am not using ldaps, only StartTLS.

I tried putting an .ldaprc file in apache2's home directory (required
for PHP's LDAP functions), but this didn't help auth_ldap.  Attempts
to bind to the server produce this error in slapd log:

Dec 16 10:43:31 myhost slapd[22311]: [ID 347666 local4.debug] conn=0 op=0 BIND dn="cn=LDAPhttp,ou=System,o=MYORG" method=128
Dec 16 10:43:31 myhost slapd[22311]: [ID 217296 local4.debug] conn=0 op=0 RESULT tag=97 err=13 text=TLS confidentiality required

And this error in the apache error log:

[Tue Dec 16 10:43:38 2003] [warn] [client 198.161.29.182] [22256] auth_ldap authenticate: user brentk authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Confidentiality required]

Is TLS support still forthcoming in this module (I know its 
an experimental module), or is there some information that I'm 
missing?

Many thanks,

Brent



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org