Question has been resolved. LDAPTrustedGlobalCert CA_BASE64 /path/to/your/cert/file
OR #LDAPTrustedGlobalCert CA_BASE64 /path/to/your/cert/file LDAPVerifyServerCert Off # default value is On Thanks. 2011/3/1 Feldhacker, Chris <feldhacker.ch...@principal.com>: > -----Original Message----- > From: 金健康 [mailto:jinjiankang1...@gmail.com] > Sent: Friday, February 25, 2011 12:53 AM > To: users@subversion.apache.org > Subject: Subversion Apache2.2 LDAPS authentication failed > > Hi, > > OS: Redhat Linux > Subversion: 1.5.0 > Apache: 2.2.17 > OpenLDAP: 2.3.27 > > httpd.conf: > ... > LDAPSharedCacheSize 200000 > LDAPCacheEntries 1024 > LDAPCacheTTL 600 > LDAPOpCacheEntries 1024 > LDAPOpCacheTTL 600 > > <Location /svn> > DAV svn > SVNParentPath /home/svnroot/repository > AuthzSVNAccessFile /home/svnroot/repository/svn_access_file > AuthType Basic > AuthBasicProvider ldap > AuthzLDAPAuthoritative off > AuthLDAPURL > "ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectClass=*)" > SS > L > AuthName "Subversion.resository" > Require valid-user > </Location> > ... > > Apache error_log: > > [Thu Feb 24 16:48:00 2011] [debug] mod_authnz_ldap.c(403): [client > 10.1.85.181] [25242] auth_ldap a > uthenticate: using URL > ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectCl > ass=*) > [Thu Feb 24 16:48:00 2011] [info] [client 10.1.85.181] [25242] auth_ldap > authenticate: user jinjian kang authentication failed; URI /svn [LDAP: > ldap_simple_bind_s() failed][Can't contact LDAP server] > > ping master.ldap.ebupt.com is OK. > > My FTP LDAPS authentication is OK as below: > server:master.ldap.ebupt.com > port:636 Enable > SSL:checked > Base DN:ou=staff,dc=ebupt,dc=com > anonymous bind:checked > Search Filter:(objectClass=*) > User DN attribute:uid > Search scope:subtree > > Thanks. > Jin Jiankang > ============================ > > > I don't see any "LDAPTrustedGlobalCert" entries that tell Apache how to > verify the server certificate... Have you defined any in the config file? > http://httpd.apache.org/docs/2.2/mod/mod_ldap.html > > Otherwise, you could also try adding this directive to see if it has any > affect: > LDAPVerifyServerCert Off > > Other than checking to verify the host name matches what's in the > certificate, and making sure the CAs are setup, you could also check out this > message: > http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=395193 > > FWIW! > > > > > > > > -----Message Disclaimer----- > > This e-mail message is intended only for the use of the individual or > entity to which it is addressed, and may contain information that is > privileged, confidential and exempt from disclosure under applicable law. > If you are not the intended recipient, any dissemination, distribution or > copying of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by > reply email to conn...@principal.com and delete or destroy all copies of > the original message and attachments thereto. Email sent to or from the > Principal Financial Group or any of its member companies may be retained > as required by law or regulation. > > Nothing in this message is intended to constitute an Electronic signature > for purposes of the Uniform Electronic Transactions Act (UETA) or the > Electronic Signatures in Global and National Commerce Act ("E-Sign") > unless a specific statement to the contrary is included in this message. > > While this communication may be used to promote or market a transaction > or an idea that is discussed in the publication, it is intended to provide > general information about the subject matter covered and is provided with > the understanding that The Principal is not rendering legal, accounting, > or tax advice. It is not a marketed opinion and may not be used to avoid > penalties under the Internal Revenue Code. You should consult with > appropriate counsel or other advisors on all matters pertaining to legal, > tax, or accounting obligations and requirements. >