Unfortunately, I am still having problems with this. Here is what my error_log says:
[Mon Feb 02 17:01:51 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Mon Feb 02 17:01:51 2015] [info] LDAP: SSL support unavailable: LDAP: SSL/TLS ldapssl_client_init() function not supported by this Netscape/Mozilla/Solaris SDK. Certificate authority file not set What exactly is this telling me - that SSL support is unavailable even though the previous line show that the APR is built with openLDAP SDK? Or is it not supported because there is a problem with my trusted certificate file? I’ve tested my trusted certificate using openssl: # /opt/csw/bin/openssl verify ssl/crt/ldapservr.crt ssl/crt/retronight.crt: C = US, postalCode = 53706, ST = WI, L = Madison, street = 1210 West Dayton Street, O = University of Wisconsin-Madison, OU = OCIS, CN = retronight.primate.wisc.edu error 20 at 0 depth lookup:unable to get local issuer certificate Is this the cause of the “Certificate authority file not set”? When I query the openldap server I get “self signed certificate in the certificate chain” is this the problem, see below.? Is there a way to append the chains together into a LDAPTrustedGlobalcert file that will work? I’ve tried verifying the three certificates with openssl but can only get “Ok” if I put a “untrusted” after the first file, i.e. /opt/csw/bin/openssl verify -CAfile ssl/crt/incommonroot.crt -untrusted ssl/crt/intermediate.crt ssl/crt/ldapserver.crt. # /opt/csw/bin/openssl s_client -connect retronight.primate.wisc.edu:636 -showcerts CONNECTED(00000004) depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=retronight.primate.wisc.edu i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA -----BEGIN CERTIFICATE----- MIIFUzCCBDugAwIBAgIQY++XbIx0xIZZ5TcOG+AZXzANBgkqhkiG9w0BAQUFADBR MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNv bW1vbjEbMBkGA1UEAxMSSW5Db21tb24gU2VydmVyIENBMB4XDTEyMDMwMjAwMDAw MFoXDTE1MDMwMjIzNTk1OVowgb0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwU1Mzcw NjELMAkGA1UECBMCV0kxEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAkTFzEyMTAg V2VzdCBEYXl0b24gU3RyZWV0MSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv bnNpbi1NYWRpc29uMQ0wCwYDVQQLEwRPQ0lTMSQwIgYDVQQDExtyZXRyb25pZ2h0 LnByaW1hdGUud2lzYy5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDsJ5xSSAUzPJdlfPzGsmDmEOWy1AGtLL64hZ8e+VRCMaBNvceS4LpIQYPo3liW WJPQEnkgGBMiRCvBjdFKq+eibgzBGKMOsB1kKeDluZmDiwVN6P2mi17JTNdMfU3u Wc3XKDOfyVDwYUJ3q08dNIEYfbFF/P+Dg4B7DO/H+oxehB4i9ekT/5ogxItnI9qJ 2zykA1oi33m6uACP3kdzfTD5jHMbckO7Y6VAYlVcRSaSh5kTFFaUdf0vAXb8HekJ 5dZ3CX22A+R7prEPvjo8WfD+KHgfSKReQ3YyzYF55W8pIdhfjD9f7EK4EpJtfkZa N3XcRlH2cGa0Wmcizd65HdbvAgMBAAGjggG4MIIBtDAfBgNVHSMEGDAWgBRIT1r6 L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4EFgQUdFTMywqiwNZIPtyl8LCK9N52pSAw DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH AwEGCCsGAQUFBwMCMF0GA1UdIARWMFQwUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYB BQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkv Y3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2NybC5pbmNvbW1v bi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsG AQUFBzAChi1odHRwOi8vY2VydC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJD QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmluY29tbW9uLm9yZzAmBgNV HREEHzAdghtyZXRyb25pZ2h0LnByaW1hdGUud2lzYy5lZHUwDQYJKoZIhvcNAQEF BQADggEBACsoJOY0HT1Bebm44nKqXx8OnQPD3cF5IOlhkFDQMUBmxnmkcfgf1j/5 gs5X1Ypqw/u+3RVNu+0vbor0huSx4MkBZ3uGf1bZPA8bO7u5KbodwDvgprxi+Z7S Y3Xsgvj6BbT/g6wR0zU72D3Dg6JRdgpgvgU3lZv05b2z0e1b3UQv5fPLnLDFYcLh /Wtm/QD7ojySboxPeD6zfgV4EkyQjqHGAMA1bay2BedXFKNn6AKUwgNS1UCbb1qp 8h1XppOriYbI/T7WMlWr3iOLjsx4LNMBdxh6gVeeegFZ9fuRMVci9qDXmdNAVnnz O8lwWMhXixea0YABDYhjLP4dfAOME2A= -----END CERTIFICATE----- 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp 4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB +xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U 4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3 /+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6 L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB /wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1 c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358 xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1 kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M= -----END CERTIFICATE----- 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- --- Server certificate subject=/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=retronight.primate.wisc.edu issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA --- No client certificate CA names sent … DONE > On Jan 31, 2015, at 7:51 AM, Tom Lynch <[email protected]> wrote: > > Dago, > > Thanks for the response. The paths were correct but there was a > misconfiguration in my httpd-ssl.conf file that caused the problem. > > Tom > On Jan 30, 2015, at 11:01 AM, Dagobert Michelsen <[email protected] > <mailto:[email protected]>> wrote: > >> Hi Tom, >> >>> Am 30.01.2015 um 17:52 schrieb Tom Lynch <[email protected] >>> <mailto:[email protected]>>: >>> >>> After upgrading Solaris and opencsw, Apache2 no longer is able to >>> authenticate against my openldap server. I get: >>> >>> [Fri Jan 30 09:19:34 2015] [info] [client 192.168.0.21] [5973] auth_ldap >>> authenticate: user authentication failed; URI /staff [LDAP: SSL/TLS is not >>> supported by this version of the Netscape/Mozilla/Solaris SDK][Can't >>> contact LDAP server] >>> >>> I configured the site several years ago so am a little foggy on what I >>> originally did to get it to work. Not sure where to go next. >>> >>> I’m using the csw apache2 build, shouldn’t it be using the correct SDK, >>> apache apr is installed, or is there something I’m missing? >> >> I guess you have to revise your httpd.conf, the LDAP authentication and >> especially OpenSSL has changed >> considerably in the last years. Look for mod_ldap in httpd.conf and see if >> all pathes still match. >> >> >> Best regards >> >> — Dago >> >> -- >> "You don't become great by trying to be great, you become great by wanting >> to do something, >> and then doing it so hard that you become great in the process." - xkcd #896 >
smime.p7s
Description: S/MIME cryptographic signature
