Bug#235653: Status of Bug 235653?

To: Adam Conrad <adconrad@0c3.net>
Subject: Bug#235653: Status of Bug 235653?
From: Mike McCallister <mike@metalogue.com>
Date: Sat, 30 Apr 2005 01:44:11 -0500
Message-id: <[🔎] 20050430064410.GA964@yosemite.home.metalogue.com>
Reply-to: Mike McCallister <mike@metalogue.com>, 235653@bugs.debian.org
In-reply-to: <[🔎] 3447.130.194.13.105.1113980668.squirrel@mail.0c3.net>
References: <[🔎] 20050420053624.GA29940@yosemite.home.metalogue.com> <[🔎] 3447.130.194.13.105.1113980668.squirrel@mail.0c3.net>

On Wed, Apr 20, 2005 at 05:04:28PM +1000, Adam Conrad wrote:
> Note that the page you pointed to states that SSL is supported via the
> Netscape SDK *OR* TLS is supported via OpenLDAP.  I would read that to
> mean that the "LDAP: SSL support unavailable" message would be expected
> when using OpenLDAP.

After more research, I have found differently.  After configuring the
directives you mentioned below, my Apache error log now shows the
following on startup:

[Sat Apr 30 01:05:15 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sat Apr 30 01:05:15 2005] [notice] LDAP: SSL support available

So it seems that you can trust the messages in the log file to some
degree.

> Have you tried the LDAPTrustedCA and LDAPTrustedCAType directives
> which are pointed out at:
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#usingtls The
> way I read that would be that you shouldn't use "ldaps://" with
> OpenLDAP, but rather just "ldap://"; with the two directives above.
> If you can try that out and let me know if it works out of the box,
> then perhaps I can close this bug. :)

When I use the ldap:// value in the AuthLDAPUrl against an OpenLDAP
server configured to require TLS, I get an error message that strongly
indicates Apache did not attempt to start a TLS handshake after
connecting to the LDAP server.  The error message is:

[Sat Apr 30 00:30:05 2005] [warn] [client 192.168.2.33] [542] auth_ldap authenticate: user USERNAME authentication failed; URI / [ldap_simple_bind_s() to check user credentials failed][Confidentiality required]

"Confidentiality required" means that the client (in this case Apache)
attempted to provide a user-id and password to bind to the LDAP server
over an unencrypted link.  It appears to me that this is an upstream
bug that is fixed with Apache 2.1, but not in Apache 2.0:

	http://issues.apache.org/bugzilla/show_bug.cgi?id=18712

This Bugzilla report describes my experience exactly.

At this point I am giving up on trying to use TLS with mod_auth_ldap
until Apache 2.1 is released and packaged for Debian.  Thanks for your
help.

Reply to:

References:
- Bug#235653: Status of Bug 235653?
  - From: Mike McCallister <mike@metalogue.com>
- Bug#235653: Status of Bug 235653?
  - From: "Adam Conrad" <adconrad@0c3.net>

Prev by Date: Re: CAN-2005-1344: Buffer overflow in htdigest
Next by Date: Bug#256510: Apache2 .htaccess ErrorDocument
Previous by thread: Bug#235653: Status of Bug 235653?
Next by thread: Bug#305495: apache: AddDefaultCharset breaks the non-latin1 pages
Index(es):
- Date
- Thread