3

Here is the full story with details below, I'd appreciate any suggestions.

I have a web server that I need to enable apache auth with ldap to certain resources. I also have openldap server that I can authenticate with. The openldap has both ports 389 and 636 enabled and there is a self signed cert installed on openldap. The web server has openldap client configured and can ID users. If I test connection to openldap from web server using this string:

openssl s_client -connect openldapserverIP:636 -showcerts

I getting response with all correct info.

In the web server config I've added this:

<Directory /www/protect>
Order deny,allow
Deny from All
AuthName "identity"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPUrl ldap://openldapIP/ou=People,dc=mydomain,dc=org?uid
AuthLDAPBindDN "cn=ldapreadonlyuser,dc=mydomain,dc=org"
AuthLDAPBindPassword "somethinghere"
AuthLDAPGroupAttribute memberUid
Require ldap-attribute  myAttribute=800
Require ldap-attribute myAttribute=820
Satisfy any
LogLevel debug
</Directory>

and it works.

Then if I enable secure connection, changing the connection string to:

AuthLDAPUrl ldaps://openldapIP/ou=People,dc=mydomain,dc=org?uid TLS

or

AuthLDAPUrl ldap://openldapIP:636/ou=People,dc=mydomain,dc=org?uid TLS

it does not work.

Here is the error log:

auth_ldap authenticate: user x authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)

Thanks in advance!

Improve this question

2 Answers 2

Reset to default
2

You need to use

LDAPVerifyServerCert Off

at a global level in your Apache configuration. That's because your certificate is self-signed.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It would be safer to use romank's answer, and just tell Apache that the LDAP server's self-signed cert is the one to trust. Self-signed or not, it's the one your authentic LDAP server should be presenting. Turning verification off would let Apache happily connect to an impostor LDAP server using some other certificate and pretending to be yours.
1

Put your CA cert and ldap servers cert in /etc/pki/mycerts/certs-bundle.pem and add parameter LDAPTrustedGlobalCert CA_BASE64 /etc/pki/mycerts/certs-bundle.pem to your httpd.conf

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.