On 1/17/07, Darren Spruell <[EMAIL PROTECTED]> wrote:
When trying to authenticate clients via a remote LDAP directory (using
mod_authz_ldap), we fail and the following is logged:
[Wed Jan 17 14:57:14 2007] [warn] [client a.b.c.d] [32492] auth_ldap
authenticate: user xxxxxxxx authentication failed; URI /ldap/
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
The authentication attempt succeeds when standard LDAP is attempted,
but for security we require LDAPS. There are no connectivity issues
between Apache and the remote LDAPS service as we can successfully
test our operations using 'openssl s_client' and ldapsearch(1) without
issue.
I think I've found the problem and it related to a name mismatch
between the address we had configured to connect to the LDAP server
and the CN returned in the SSL certificate. I had to test using a
locally-configured DNS server to spoof the name, since the FQDN did
not exist in our DNS, but after changing the name it worked correctly.
On this note, what would it take to get some more debugging enabled in
mod_ldap around the certificate validation procedures? It would be
very useful if logs would indicate an error in the server certificate
validation as several variables can be out of place there; expired
certificate, untrusted issuer, or CN/hostname mismatch. The same error
that we were seeing misleads a lot of people (according to Google)
into diagnosing the issue as an inability to complete a TCP/IP socket
with the remote LDAP server, when the issue may actually be failure to
complete SSL handshake.
DS
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]