Bug#235653: Status of Bug 235653?
On Wed, Apr 20, 2005 at 05:04:28PM +1000, Adam Conrad wrote:
> Note that the page you pointed to states that SSL is supported via the
> Netscape SDK *OR* TLS is supported via OpenLDAP. I would read that to
> mean that the "LDAP: SSL support unavailable" message would be expected
> when using OpenLDAP.
After more research, I have found differently. After configuring the
directives you mentioned below, my Apache error log now shows the
following on startup:
[Sat Apr 30 01:05:15 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Apr 30 01:05:15 2005] [notice] LDAP: SSL support available
So it seems that you can trust the messages in the log file to some
> Have you tried the LDAPTrustedCA and LDAPTrustedCAType directives
> which are pointed out at:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#usingtls The
> way I read that would be that you shouldn't use "ldaps://" with
> OpenLDAP, but rather just "ldap://" with the two directives above.
> If you can try that out and let me know if it works out of the box,
> then perhaps I can close this bug. :)
When I use the ldap:// value in the AuthLDAPUrl against an OpenLDAP
server configured to require TLS, I get an error message that strongly
indicates Apache did not attempt to start a TLS handshake after
connecting to the LDAP server. The error message is:
[Sat Apr 30 00:30:05 2005] [warn] [client 192.168.2.33]  auth_ldap authenticate: user USERNAME authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Confidentiality required]
"Confidentiality required" means that the client (in this case Apache)
attempted to provide a user-id and password to bind to the LDAP server
over an unencrypted link. It appears to me that this is an upstream
bug that is fixed with Apache 2.1, but not in Apache 2.0:
This Bugzilla report describes my experience exactly.
At this point I am giving up on trying to use TLS with mod_auth_ldap
until Apache 2.1 is released and packaged for Debian. Thanks for your