hi ricardo,
ok, what you're pointing out is that i've been fuzzing whether or not i
want to negotiate SSL after establishing a connection or if i just want
to walk in assuming SSL
my LDAP server is an Active Directory box with stunnel running on port
12389 (and redirecting what it receives to port 389). and my httpd-2.0
configuration just contains 'ldaps', no mention of STARTTLS, and it
works fine. so i'm going to claim that my LDAP server is listening to
SSL on port 12389
[when i use STARTTLS or set LDAPTrustedMode to TLS, i see
"ldap_start_tls_s() failed][Not Supported]" in syslog ... and *nothing*
in the packet trace, i.e. apache doesn't send a single packet to the
LDAP server. i find this odd, because i'd like to think that httpd is
linked to OpenLDAP, which does, as far as i can tell, support STARTTLS
... but hey, i don't need STARTTLS, my LDAP server is speaking SSL only
on this port, so i don't need this functionality]
so, for simplicity, i dump the LDAPTrustedMode stmt:
[...]
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedClientCert CERT_BASE64 /opt/vdops/ssl/fhcrc-ad.pem
LDAPVerifyServerCert Off
[...]
and rely on the 'ldaps' URL:
<Directory "/srv/www/htdocs/soma/">
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.1.
AuthName Soma
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "[EMAIL PROTECTED]"
AuthLDAPBindPassword passwd-for-foozle
AuthLDAPURL
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub
?(objectClass=user)
Require valid-user
</Directory>
but ... i see the same thing in syslog:
...ldap_simple_bind_s() failed][Can't contact LDAP server]...
and i see the same thing in the packet trace, i.e. SYN, SYN, ACK, RST
... repeated a handful of times
thank you for helping me clarify what i'm doing
can you see any other confusions i might be retaining?
--sk
Stuart Kendrick wrote:
> > hi,
> >
> > i'm trying to upgrade my ldap authentication to ldaps
>
> Well, which one is it ? TLS or SSL :? That's the problem... LDAP on
> SSL mode work on a different port. TLS connections work on the same
> unsecure port, except that the talk is encrypted.
> So, if you enabled SSL on port 12389, then:
> LDAPTrustedMode SSL # If you run SSL, this is optional as you'll
> enable this with the 'ldaps' url
> ...
> AuthLDAPURL
>
ldaps://dc.fhcrc.org:12389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
> Or, if you are doing TLS, then:
>LDAPTrustedMode TLS # If you run TLS, you can set this or add STARTLS
> at the end of the ldap url
> ...
> AuthLDAPURL
>
ldap://dc.fhcrc.org:389/dc=fhcrc,dc=org?sAMAccountName?sub?(objectClass=user)
> Hope this helps...
> My .02...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
