[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)



>
> Hi there, sorry if this is a bit offtopic

I bet so :)

> but I have a head-shaped
> hole in my desk, and figured you folks might have seen this before.

I guess apache has been instructed to use tls somehow; either
you find out how to disable it, or you use plain ldap:// proto
instead of ldaps:// but I'm not familiar with apache's
configuration so this is just a guess about the steps you need
to take.  In any case you need to pick what approach to encrypting
the communication you want to use.

p.

>
> I'm trying to use mod_auth_ldap and openldap to authenticate
> users, it's worked well in the past but I've been banging my head
> on a particular server.
>
> It's using ldaps://, the connect appears to happen but then
> I get the following error from mod_ldap (this is apache2 so
> auth_ldap has mod_ldap handling the binds for it, names changed to
> protect the ignorant) :
>
> [Mon Jul 05 15:29:40 2004] [info] Subsequent (No.2) HTTPS request received
> for child 1 (server ourwebserver.uk:443)
> [Mon Jul 05 15:29:40 2004] [debug] mod_auth_ldap.c(304): [client 1.2.3.4]
> [4537] auth_ldap authenticate: using URL
> ldaps://our.ldap.server/o=whatever?uid??(ou=*theou*)
> [Mon Jul 05 15:29:40 2004] [warn] [client 1.2.3.4] [4537] auth_ldap
> authenticate: user username authentication failed; URI / [LDAP:
> ldap_set_option - LDAP_OPT_X_TLS_HARD failed][Unknown error]
> [Mon Jul 05 15:29:55 2004] [debug] ssl_engine_io.c(1511): OpenSSL: I/O
> error, 5 bytes expected to read on BIO#81e0400 [mem: 81e7a80]
>
> The relevant line mentioned in the errorlog is:
>
>     /* handle bind failure */
>     if (result != LDAP_SUCCESS) {
>         ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
>                       "[%d] auth_ldap authenticate: "
>                       "user %s authentication failed; URI %s [%s][%s]",
>                       getpid(), r->user, r->uri, ldc->reason,
> ldap_err2string(result));
>
>
> and the OPT_X_TLS_HARD line comes from util_ldap.c:
>
>                     if (LDAP_SUCCESS != result)
>                     {
>                         ldap_unbind_s(ldc->ldap);
>                         ldc->reason = "LDAP: ldap_set_option -
> LDAP_OPT_X_TLS_HARD failed";
>                         ldc->ldap = NULL;
>                     }
>
>
> Apologies for the apache specifics, but it's really all I have to go on.
>
> I can use ldapsearch to see entries in the server in question, but oddly
> it doesn't return to a prompt, it seems to hang.
>
> My question is really whether there's any debugging steps I can take?
> Ideally I'd happily just use SSL, it looks to me like it's trying to
> to TLS inside the SSL session, which just seems silly.
>
> Do I have an option to just do SSL without TLS, or is that being
> requested by the server? Is it likely to be an issue on their end?
>
> How would regulars on this list proceed?
>
> Thanks a lot.
>
> --
> Rasputin :: Jack of All Trades - Master of Nuns
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497