Bug#235653: Status of Bug 235653?

2005-04-19 Thread Mike McCallister 
What is the status of bug 235653 (http://bugs.debian.org/235653), to
enable mod_auth_ldap to use TLS/SSL?  Based on the response from March
1 2004, it sounds like it was intended to be fixed in short order, but
this bug is still open.  Is it likely to be fixed any time soon?


Mike



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#235653: Status of Bug 235653?

2005-04-20 Thread Adam Conrad 
Mike McCallister wrote:
> What is the status of bug 235653 (http://bugs.debian.org/235653), to
> enable mod_auth_ldap to use TLS/SSL?  Based on the response from March 1
> 2004, it sounds like it was intended to be fixed in short order, but
> this bug is still open.  Is it likely to be fixed any time soon?

Note that the page you pointed to states that SSL is supported via the
Netscape SDK *OR* TLS is supported via OpenLDAP.  I would read that to
mean that the "LDAP: SSL support unavailable" message would be expected
when using OpenLDAP.

Have you tried the LDAPTrustedCA and LDAPTrustedCAType directives which
are pointed out at:

http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#usingtls

The way I read that would be that you shouldn't use "ldaps://" with
OpenLDAP, but rather just "ldap://"; with the two directives above.

If you can try that out and let me know if it works out of the box, then
perhaps I can close this bug. :)

... Adam




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#235653: Status of Bug 235653?

2005-04-30 Thread Mike McCallister 
On Wed, Apr 20, 2005 at 05:04:28PM +1000, Adam Conrad wrote:
> Note that the page you pointed to states that SSL is supported via the
> Netscape SDK *OR* TLS is supported via OpenLDAP.  I would read that to
> mean that the "LDAP: SSL support unavailable" message would be expected
> when using OpenLDAP.

After more research, I have found differently.  After configuring the
directives you mentioned below, my Apache error log now shows the
following on startup:

[Sat Apr 30 01:05:15 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Apr 30 01:05:15 2005] [notice] LDAP: SSL support available

So it seems that you can trust the messages in the log file to some
degree.

> Have you tried the LDAPTrustedCA and LDAPTrustedCAType directives
> which are pointed out at:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#usingtls The
> way I read that would be that you shouldn't use "ldaps://" with
> OpenLDAP, but rather just "ldap://"; with the two directives above.
> If you can try that out and let me know if it works out of the box,
> then perhaps I can close this bug. :)

When I use the ldap:// value in the AuthLDAPUrl against an OpenLDAP
server configured to require TLS, I get an error message that strongly
indicates Apache did not attempt to start a TLS handshake after
connecting to the LDAP server.  The error message is:

[Sat Apr 30 00:30:05 2005] [warn] [client 192.168.2.33] [542] auth_ldap 
authenticate: user USERNAME authentication failed; URI / [ldap_simple_bind_s() 
to check user credentials failed][Confidentiality required]

"Confidentiality required" means that the client (in this case Apache)
attempted to provide a user-id and password to bind to the LDAP server
over an unencrypted link.  It appears to me that this is an upstream
bug that is fixed with Apache 2.1, but not in Apache 2.0:

http://issues.apache.org/bugzilla/show_bug.cgi?id=18712

This Bugzilla report describes my experience exactly.

At this point I am giving up on trying to use TLS with mod_auth_ldap
until Apache 2.1 is released and packaged for Debian.  Thanks for your
help.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#235653: Status of Bug 235653?

2006-11-12 Thread Thijs Kinkhorst 
Hi,

> At this point I am giving up on trying to use TLS with mod_auth_ldap
> until Apache 2.1 is released and packaged for Debian.  Thanks for your
> help.

Well, it is now. Do you perhaps want to continue on this quest?


Thijs


signature.asc
Description: This is a digitally signed message part