Hello,
we are enabling LDAP auth on our apache stack. Starting from
apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
The configure line we used for apache is:
$ ./configure --prefix=/usr/local/apache --mandir=/path/to/man
--with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all
--enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
and the one for php is:
./configure --prefix=/usr/local/php --mandir=/usr/local/php/man
--with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs
--with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash
--with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib
--with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt
--enable-shared=max --enable-mbstring --enable-inline-optimization
--enable-magic-quotes --enable-sigchild --enable-soap
--enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib
--with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
Build and install went fine.
We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
into /etc/openldap/ldap.conf .
And now starts the problem :( We configured httpd.conf to contain
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
...
LDAPVerifyServerCert Off
Then we set a dir with .htaccess similar to this:
AuthType Basic
AuthName "<name>"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN uid=<uid>,ou=<ou>,ou=<ou>,dc=<dc>,dc=<dc>
AuthLDAPBindPassword <pwd>
AuthLDAPURL ldaps://<address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
require valid-user
If I then try to access a page under that .htaccess, then I'm prompted
for username and password, but then I'm redirected to a 500 page and in
error.log I can read
[Mon Nov 02 10:59:38 2009] [warn] [client 127.0.0.1] [10522] auth_ldap
authenticate: user stosi authentication failed; URI /index.html [LDAP:
ldap_set_option failed. Could not set LDAP_OPT_X_TLS to
LDAP_OPT_X_TLS_HARD][Operations error]
We are stuck in this situation since days :( we searched the internet
for the above error message, but except for a couple of posts on
issues.apache.org (that don't help) there is nothing else but complains
about how obscure that error is.
I think there's something related to SSL and how recent apache (it seems
from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
httpd.conf and set explicitly "SSLEngine On" where needed (while before
it was a bit implicitly).
I appreciate any help, cause we are out of any idea on how to move on.
Regards,
Sandro
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org