After upgrading a machine from fedora 13 to fedora 14 (with all <br>updates), I was suddenly unable to get its httpd to authenticate<br>with my LDAP servers. After connecting my browser to the web server<br>with https, and typing in my username and password,<br>
I get an Internal Server Error response.<br>My configuration is:<br><br>LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/ca-bundle.crt<br>LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.asc<br><Directory /var/www/html/ssl><br>
AuthType Basic <br> AuthName "User Login" <br> AuthBasicProvider ldap <br> AuthLDAPURL "ldap://<a href="http://serv1.foo.org">serv1.foo.org</a> <a href="http://serv2.foo.org/dc=foo,dc=org">serv2.foo.org/dc=foo,dc=org</a>" TLS <br>
AuthzLDAPAuthoritative off <br> require valid-user <br> SSLOptions +StrictRequire<br> SSLRequireSSL <br></Directory><br><br>The httpd debugging log shows:<br>auth_ldap authenticate: user XXXX authentication failed;<br>
URI /ssl/staff/index.shtml<br>[LDAP: ldap_start_tls_s() failed][Connect error]<br><br>Changing AuthLDAPURL to use SSL instead of TLS also fails but with:<br>[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]<br>
<br>tcpdump shows that the httpd client connects to the LDAP server,<br>and is sent:<br>Start TLSrequest accepted Server willing to negotiate SSL<br>but no certificate info is exchanged and the client quickly closes<br>the connection.<br>
<br>Changing AuthLDAPURL to use NONE makes it connect successfully.<br><br>serv1 uses a cert purchased from GoDaddy,<br>and serv2 uses a self signed cert<br>(which is /etc/openldap/cacerts/cacert.asc).<br>Both servers are 389-ds.<br>
Both certs mentioned in LDAPTrustedGlobalCert are valid and world<br>readable. ldapsearch is able to connect to both servers with TLS.<br><br>On another machine with the same httpd configuration, but still at<br>fedora 13, httpd is able to connect securely even<br>
without the LDAPTrustedGlobalCert lines.<br><br><br>As a side note, after upgrading to fedora 14, I had to add<br>tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt<br>to /etc/nss_ldap.conf and /etc/pam_ldap.conf<br>and also add<br>
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt<br>to /etc/openldap/ldap.conf<br>in order to get those to work.<br>Under fedora 13, everything worked without those lines.<br><br><br>I don't know if this is a problem with httpd's mod_authnz_ldap<br>
or its mod_ldap or with openldap, or just a configuration mistake<br>on my part, but it used to work before the upgrade.<br>I have searched all over for an answer to this problem<br>because I can't believe that I am the only one having it,<br>
but I have found nothing.<br>I welcome any ideas.<br>