hi,
i'm trying to upgrade my ldap authentication to ldaps
i have both ldap and ldaps authentication working under apache 2.0 ...
but under apache 2.2, i only have plain ldap working
i'm looking for tips on additional trouble-shooting methods i could try
here's my apache 2.0 config. this is the one which works, in both ldap
and ldaps mode. notice the use of the non-standard port
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedCA /opt/local/etc/ssl/fhcrc-ad.pem
LDAPTrustedCAType BASE64_FILE
[...]
<Directory "/srv/www/htdocs/soma/">
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.1.
SSLRequireSSL
AuthName Soma
AuthType Basic
AuthLDAPBindDN "[EMAIL PROTECTED]"
AuthLDAPBindPassword passwd-for-foo
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
# ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(obj
ectClass=user)
Require valid-user
</Directory>
and here's my apache 2.2 config. if i comment out the 'ldaps' URL and
comment in the 'ldap' URL, things work fine:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/local/ssl/fhcrc-ad.pem
LDAPTrustedMode TLS
LDAPVerifyServerCert Off
[...]
<Directory "/srv/www/htdocs/soma/">
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.1.
AuthName Soma
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "[EMAIL PROTECTED]"
AuthLDAPBindPassword passwd-for-foo
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user) STARTTLS
# AuthLDAPURL ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(
objectClass=user)
Require valid-user
</Directory>
when it fails, i see the following in syslog:
Sep 25 15:24:23 guru httpd[17738]: [warn] [client 10.1.2.3] [17738]
auth_ldap authenticate: user skendric authentication failed; URI /soma
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
in a packet trace, i see the following, repeated a handful of times. [i
hacked the Source and Destination IP address columns, replacing the
actual IP addresses with 'a', the address of my apache server, and 'z'
the address of my LDAP server]. basically, the apache server just
establishes a TCP connection (SYN, SYN, ACK) ... and then, without
attempting anything, tears it down ... and then repeats a handful of times.
No. Time By Source Dest Prot Info
1 0.000000 74 a z TCP 48965 > 12389 [SYN, ECN, CWR] Seq=0
2 0.000351 78 z a TCP 12389 > 48965 [SYN, ACK] Seq=0 Ack=1
3 0.000018 66 a z TCP 48965 > 12389 [ACK] Seq=1 Ack=1
4 0.000780 66 a z TCP 48965 > 12389 [FIN, ACK] Seq=1 Ack=1
5 0.000122 74 a z TCP 48966 > 12389 [SYN, ECN, CWR] Seq=0
6 0.000312 78 z a TCP 12389 > 48966 [SYN, ACK] Seq=0 Ack=1
7 0.000014 66 a z TCP 48966 > 12389 [ACK] Seq=1 Ack=1
8 0.000004 66 z a TCP 12389 > 48965 [ACK] Seq=1 Ack=2
9 0.000084 60 z a TCP 12389 > 48965 [RST, ACK] Seq=1 Ack=2
10 0.000201 66 a z TCP 48966 > 12389 [FIN, ACK] Seq=1 Ack=1
i'm using the apache bundled with SuSE ... SuSE 9.3 in the httpd-2.0
case, and OpenSuSE 10.1 in the httpd-2.2.0 case. for grins, i compiled
httpd-2.2.3 from scratch on my 10.1 box and tried it ... delivers the
same symptoms as the httpd-2.2 bundled with OpenSuSE 10.1
suggestions for what i might try next to analyze what is going on?
--sk
stuart kendrick
fhcrc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
