> -----Message d'origine----- > De : Sandro Tosi [mailto:sandro.t...@register.it] > Envoyé : lundi 2 novembre 2009 11:17 > À : users@httpd.apache.org > Objet : [us...@httpd] LDAP: ldap_set_option failed. Could not set > LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD > > Hello, > we are enabling LDAP auth on our apache stack. Starting from > apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 . > > The configure line we used for apache is: > > $ ./configure --prefix=/usr/local/apache --mandir=/path/to/man > --with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all > --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap > > and the one for php is: > > ./configure --prefix=/usr/local/php --mandir=/usr/local/php/man > --with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs > --with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash > --with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib > --with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt > --enable-shared=max --enable-mbstring --enable-inline-optimization > --enable-magic-quotes --enable-sigchild --enable-soap > --enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib > --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib > > Build and install went fine. > > We also installed openldap-client-2.3.27 and set "TLS_REQCERT never" > into /etc/openldap/ldap.conf . > > And now starts the problem :( We configured httpd.conf to contain > > LoadModule ldap_module modules/mod_ldap.so > LoadModule authnz_ldap_module modules/mod_authnz_ldap.so > ... > LDAPVerifyServerCert Off > > Then we set a dir with .htaccess similar to this: > > AuthType Basic > AuthName "<name>" > AuthBasicProvider ldap > AuthzLDAPAuthoritative Off > AuthLDAPBindDN uid=<uid>,ou=<ou>,ou=<ou>,dc=<dc>,dc=<dc> > AuthLDAPBindPassword <pwd> > AuthLDAPURL ldaps://<address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*) > require valid-user > > If I then try to access a page under that .htaccess, then I'm prompted > for username and password, but then I'm redirected to a 500 page and in > error.log I can read > > [Mon Nov 02 10:59:38 2009] [warn] [client 127.0.0.1] [10522] auth_ldap > authenticate: user stosi authentication failed; URI /index.html [LDAP: > ldap_set_option failed. Could not set LDAP_OPT_X_TLS to > LDAP_OPT_X_TLS_HARD][Operations error] > > We are stuck in this situation since days :( we searched the internet > for the above error message, but except for a couple of posts on > issues.apache.org (that don't help) there is nothing else but complains > about how obscure that error is. > > I think there's something related to SSL and how recent apache (it > seems > from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile > into > httpd.conf and set explicitly "SSLEngine On" where needed (while before > it was a bit implicitly). > > I appreciate any help, cause we are out of any idea on how to move on. > > Regards, > Sandro >
Hi, Did you try your LDAPS connection with ldapsearch first ? (sth like ldapsearch -H <ldaps url> -x ...). An important thing : when calling your ldap server, do use the resolved name rather than the IP. You can even add it in your hosts file if needed. Two other things : - what king of ldap server are u using ? - when building, are you sure you did not have several ssl toolkits/versions installed ? Can you confirm httpd has been built with the correct one (I just remember having made this mistake once and having to build with an option like "--with-ssl=<path-to-the-right-openssl-dir") ? Regards. Emmanuel --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
