You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jennifer Mead <jm...@tucows.com> on 2022/04/01 15:47:06 UTC

[users@httpd] debian 10, apache2.4 cannot get ldaps working

I get a generic error "ldap_simple_bind() failed][Can't contact LDAP
server]" when trying to connect to ldap server with "ldaps" for ldap
authentication.  This all worked well under regular ldap on port 389, but
my requirement is to get it working with secure ldaps and port 636.  First
off I can run

openssl s_client -connect server:636

nc -z -v IP 636


I can see a close wait connection on ncsd connected to the ldap server.


I suspect this has to do with certificates and apache2?  Not much
documentation out there.  Here are my relevant chunks:


AuthType Basic

AuthBasicProvider ldap file

AuthName "GestioIP - Authentication against AD"

LDAPTrustedClientCert CERT_BASE64
/usr/local/share/cacertificates/tucows-root-ca-v2.crt

AuthLDAPUrl
"ldaps://x.x.x.x:636/DC=int,DC=tucows,DC=com?sAMAccountName?sub?(objectClass=*)"

AuthLDAPBindDN "CN=SA-ADLookups,OU=Service Accounts,DC=int,DC=tucows,DC=com"

AuthLDAPBindPassword "secret"

AuthLDAPBindAuthoritative on

Require ldap-user


Some posts I tried to follow suggested I use module auth_ldap.  However I
cannot find that module to install and supposedly have another module that
works instead?  Horribly confused and wondering what is wrong?  No one at
my office can help either, just on my plate to figure out. With such a
generic error, I don't know if the cert is failing or if the config is
wrong or ???


I am on debian 10, we are using this for a GestioIP install just to get
users authenticated.  Any help of any kind is greatly appreciated.


Regards,

Jen Mead

jmead@tucowsinc.com

Re: [users@httpd] debian 10, apache2.4 cannot get ldaps working

Posted by Nick Folino <ni...@folino.us>.

If it's all internal, try LDAPVerifyServerCert off.

On Fri, Apr 1, 2022 at 11:47 AM Jennifer Mead <jm...@tucows.com> wrote:

> I get a generic error "ldap_simple_bind() failed][Can't contact LDAP
> server]" when trying to connect to ldap server with "ldaps" for ldap
> authentication.  This all worked well under regular ldap on port 389, but
> my requirement is to get it working with secure ldaps and port 636.  First
> off I can run
>
> openssl s_client -connect server:636
>
> nc -z -v IP 636
>
>
> I can see a close wait connection on ncsd connected to the ldap server.
>
>
> I suspect this has to do with certificates and apache2?  Not much
> documentation out there.  Here are my relevant chunks:
>
>
> AuthType Basic
>
> AuthBasicProvider ldap file
>
> AuthName "GestioIP - Authentication against AD"
>
> LDAPTrustedClientCert CERT_BASE64
> /usr/local/share/cacertificates/tucows-root-ca-v2.crt
>
> AuthLDAPUrl
> "ldaps://x.x.x.x:636/DC=int,DC=tucows,DC=com?sAMAccountName?sub?(objectClass=*)"
>
> AuthLDAPBindDN "CN=SA-ADLookups,OU=Service
> Accounts,DC=int,DC=tucows,DC=com"
>
> AuthLDAPBindPassword "secret"
>
> AuthLDAPBindAuthoritative on
>
> Require ldap-user
>
>
> Some posts I tried to follow suggested I use module auth_ldap.  However I
> cannot find that module to install and supposedly have another module that
> works instead?  Horribly confused and wondering what is wrong?  No one at
> my office can help either, just on my plate to figure out. With such a
> generic error, I don't know if the cert is failing or if the config is
> wrong or ???
>
>
> I am on debian 10, we are using this for a GestioIP install just to get
> users authenticated.  Any help of any kind is greatly appreciated.
>
>
> Regards,
>
> Jen Mead
>
> jmead@tucowsinc.com
>
>
>