Date: Thu, 19 Nov 2009 11:33:05 -0500 From: Maxim Khitrov <mkhitrov@gmail.com> To: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Apache 2.2 mod_ldap refusing to work over SSL/TLS Message-ID: <26ddd1750911190833l2b5ff6beucc652f7ed338c1a@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, Wasted many hours on this and am no closer to a solution. I'm trying to get apache 2.2 on FreeBSD 7.2 to authenticate against our active directory (Windows 2003). The current status is that authentication works without problems when SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections to the server and run queries using the ldapsearch tool. Server certificate verification works without any problems. The relevant portions of ldap.conf and httpd.conf are identical, so if I can use SSL and TLS with ldapsearch, there is no reason why it shouldn't be working from apache. Just to be on the safe side, I've turned off server certificate verification with 'LDAPVerifyServerCert Off' directive. So... Unencrypted authentication works, SSL authentication results in "[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect error]." I had nothing else to go on, so I decided to capture the packets that are being sent between apache and active directory servers. I then compared this packet capture with what ldapsearch does (both using TLS). In summary, ldapsearch and apache send an identical LDAP_SERVER_START_TLS_OID command. In both cases, the server responds with an identical "Result: Status: Success, MatchedDN: NULL, ErrorMessage: NULL" packet. But while ldapsearch then goes on to the certificate and key exchange phase, apache responds with "OperationHeader: Unbind Request, 2(0x2)" and terminates the connection. As far as I can tell, it doesn't even get to the certificate verification phase even though the STARTTLS command is successful. Anyone have a clue on what could be causing this? - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?26ddd1750911190833l2b5ff6beucc652f7ed338c1a>