I have a problem to use apache ldap over SSL.
os: fedora core 3 (updated with yum) tools :fedora directory server 1.0.2, HTTPd 2.0.53, mod_ssl 1:2.0.53, mod_auth_ldap, mod_ldap,
errors : In /var/log/http/error_log: auth_ldap authenticate: user test authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
In /opt/fedora-ds/slapd-id/logs/access : SSL connection from 127.0.0.1 to 127.0.0.1 closed - Encountered end of file
I have no probleme without ssl.
In http.conf:
LDAPTrustedCA /etc/httpd/conf/ssl.crt/certificat.pem LDAPTrustedCAType BASE64_FILE
<Directory "/var/www/html">
AuthLDAPEnabled on AuthLDAPURL ldaps://name_of_LDAPserver:636/dc=***,dc=***?uid require group dn_groupe </Directory>
In fedora directory server, I use certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc to export CA cert. Then, I copy the contents of cacert.asc in /etc/httpd/conf/ssl.crt/certificat.pem.
So /etc/httpd/conf/ssl.crt/certificat.pem look like:
-----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE-----
Note this message in access log when the httpd server start LDAP: Built with OpenLDAP LDAP SDK LDAP: SSL support unavailable
Did a solution for this problem ? Can I use apache / ssl / auth_mod_ldap / ldap(s) togheter ? Maybe a miss somethings ?
Did I have to rebuild my module auth_ldap module ?
I want to rebuild the srpm from fedora core 3 updates, and include --with-ldap-sdk=netscape for the auth_ldap module. But I have no idea where to specifie this. httpd.spec file defines core options, but not modules options. Where can I specied configure options for auth_ldap modules ? This hints would be very appreciated...
The time you spend to me is very appreciated regards
_________________________________________________________________ Windows Live Mail : découvrez et testez la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
Mickael Besse wrote:
Note this message in access log when the httpd server start LDAP: Built with OpenLDAP LDAP SDK LDAP: SSL support unavailable
This message tells you that SSL support is not available in the OpenLDAP SDK linked to by mod_auth_ldap.
You need to make sure that OpenLDAP is built with SSL enabled, or mod_auth_ldap is linked to an LDAP library that has SSL enabled, otherwise none of the SSL LDAP support will work.
I want to rebuild the srpm from fedora core 3 updates, and include --with-ldap-sdk=netscape for the auth_ldap module. But I have no idea where to specifie this. httpd.spec file defines core options, but not modules options.
This isn't true, both module and core options are specified on the same ./configure line, as the modules are included in the same rpm. Just change the ./configure line as you require to include the Netscape LDAP SDK, and watch the compile to make sure you are not still picking up OpenLDAP. If you want to use mod_auth_ldap for anything in production, I suggest downloading and installing httpd v2.2 (available from Apache either as source or as an SRPM) rather than the httpd v2.0 that comes with Fedora 3. Lots of things in v2.0 were fixed in v2.2.
Regards, Graham --
I make a mistake, when the httpd server start, there is this message in access log:
Digest: generating secret for digest authentication ... [Thu Jun 08 18:04:02 2006] [notice] Digest: done [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available
and
I try to modify http.spec and add --with-ldap-sdk=netscape after ../configure \ or after mpmbuild prefork \ --enable-mods-shared=all \ --enable-ssl --with-ssl --enable-distcache \ --enable-proxy \ --enable-cache --enable-mem-cache \ --enable-file-cache --enable-disk-cache \ --enable-ldap --enable-auth-ldap \
but it changes nothing.
From: Graham Leggett minfrin@sharp.fm Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Thu, 08 Jun 2006 17:29:21 +0200
Mickael Besse wrote:
Note this message in access log when the httpd server start LDAP: Built with OpenLDAP LDAP SDK LDAP: SSL support unavailable
This message tells you that SSL support is not available in the OpenLDAP SDK linked to by mod_auth_ldap.
You need to make sure that OpenLDAP is built with SSL enabled, or mod_auth_ldap is linked to an LDAP library that has SSL enabled, otherwise none of the SSL LDAP support will work.
I want to rebuild the srpm from fedora core 3 updates, and include --with-ldap-sdk=netscape for the auth_ldap module. But I have no idea where to specifie this. httpd.spec file defines core options, but not modules options.
This isn't true, both module and core options are specified on the same ./configure line, as the modules are included in the same rpm. Just change the ./configure line as you require to include the Netscape LDAP SDK, and watch the compile to make sure you are not still picking up OpenLDAP. If you want to use mod_auth_ldap for anything in production, I suggest downloading and installing httpd v2.2 (available from Apache either as source or as an SRPM) rather than the httpd v2.0 that comes with Fedora 3. Lots of things in v2.0 were fixed in v2.2.
Regards, Graham --
<< smime.p7s >>
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/
On Fri, June 9, 2006 10:22 am, Mickael Besse wrote:
I make a mistake, when the httpd server start, there is this message in access log:
Digest: generating secret for digest authentication ... [Thu Jun 08 18:04:02 2006] [notice] Digest: done [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available
This tells you that mod_auth_ldap is built against an SSL enabled openldap library, so this should be fine, there is no need to recompile mod_auth_ldap or httpd.
I try to modify http.spec and add --with-ldap-sdk=netscape after ../configure \ or after mpmbuild prefork \ --enable-mods-shared=all \ --enable-ssl --with-ssl --enable-distcache \ --enable-proxy \ --enable-cache --enable-mem-cache \ --enable-file-cache --enable-disk-cache \ --enable-ldap --enable-auth-ldap \
but it changes nothing.
I am not sure what you are trying to achieve by adding --with-ldap-sdk=netscape to ./configure. mod_auth_ldap has already found an SSL enabled LDAP toolkit, there is not further you need to do.
Go through your config again and check that the FDS is listening on the IP and port you specified in your mod_auth_ldap config.
Regards, Graham --
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
From: "Graham Leggett" minfrin@sharp.fm Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Fri, 9 Jun 2006 11:28:47 +0200 (SAST)
On Fri, June 9, 2006 10:22 am, Mickael Besse wrote:
I make a mistake, when the httpd server start, there is this message in access log:
Digest: generating secret for digest authentication ... [Thu Jun 08 18:04:02 2006] [notice] Digest: done [Thu Jun 08 18:04:02 2006] [notice] LDAP: Built with OpenLDAP LDAP SDK [Thu Jun 08 18:04:02 2006] [notice] LDAP: SSL support available
This tells you that mod_auth_ldap is built against an SSL enabled openldap library, so this should be fine, there is no need to recompile mod_auth_ldap or httpd.
I try to modify http.spec and add --with-ldap-sdk=netscape after ../configure \ or after mpmbuild prefork \ --enable-mods-shared=all \ --enable-ssl --with-ssl --enable-distcache \ --enable-proxy \ --enable-cache --enable-mem-cache \ --enable-file-cache --enable-disk-cache \ --enable-ldap --enable-auth-ldap \
but it changes nothing.
I am not sure what you are trying to achieve by adding --with-ldap-sdk=netscape to ./configure. mod_auth_ldap has already found an SSL enabled LDAP toolkit, there is not further you need to do.
Go through your config again and check that the FDS is listening on the IP and port you specified in your mod_auth_ldap config.
Regards, Graham --
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ MSN Hotmail sur i-mode : envoyez et recevez des e-mails depuis votre téléphone portable ! http://www.msn.fr/hotmailimode/
On Fri, June 9, 2006 12:08 pm, Mickael Besse wrote:
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
This sounds like either side isn't agreeing on whether SSL is enabled or not.
Is SSL enabled on both sides?
Regards, Graham --
I'm shure SSL is enable on FDS, because I 've got 2 server replicated over SSL and I can connect over SSL to FDS with Jxplorer.
On the server where apache is installed, I have test without problem the module pam with SSL enable to log in with account create only in FDS.
And the log of httpd say that SSL support are avalaible. I don't what to do?????
From: "Graham Leggett" minfrin@sharp.fm Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Fri, 9 Jun 2006 13:14:15 +0200 (SAST)
On Fri, June 9, 2006 12:08 pm, Mickael Besse wrote:
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered
end
of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
This sounds like either side isn't agreeing on whether SSL is enabled or not.
Is SSL enabled on both sides?
Regards, Graham --
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Windows Live Mail : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
Mickael Besse wrote:
I'm shure SSL is enable on FDS, because I 've got 2 server replicated over SSL and I can connect over SSL to FDS with Jxplorer.
On the server where apache is installed, I have test without problem the module pam with SSL enable to log in with account create only in FDS.
And the log of httpd say that SSL support are avalaible. I don't what to do?????
Are you running httpd v2.0.x or v2.2.x?
Regards, Graham --
Httpd v 2.0.53
From: Graham Leggett minfrin@sharp.fm Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Fri, 09 Jun 2006 20:32:34 +0200
Mickael Besse wrote:
I'm shure SSL is enable on FDS, because I 've got 2 server replicated over SSL and I can connect over SSL to FDS with Jxplorer.
On the server where apache is installed, I have test without problem the module pam with SSL enable to log in with account create only in FDS.
And the log of httpd say that SSL support are avalaible. I don't what to do?????
Are you running httpd v2.0.x or v2.2.x?
Regards, Graham --
<< smime.p7s >>
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/
On Mon, June 12, 2006 12:18 pm, Mickael Besse wrote:
Httpd v 2.0.53
Use the latest v2.2.x. The LDAP support in v2.0.x was experimental, and a lot of rewriting and fixing happened that could not be easily backported to v2.0. When v2.2.0 of httpd was finally released a while back, the LDAP support was no longer experimental.
The v2.2.x httpd should work with SSL, I spent quite a bit of time trying to bend my head around the different LDAP client toolkits to make sure their SSL worked consistently for APR.
Regards, Graham --
I've install fedora core 5 and try to cofigure httpd 2.2.
without SSL, it's ok with this conf:
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/cert.pem
<Directory "/var/www/html">
AuthName "bienvenue" AuthType Basic
AuthBasicProvider ldap AuthLDAPURL ldap://*.*.*.*/dc=*,dc=*?uid?sub AuthzLDAPAuthoritative off require valid-user
</Directory>
Then I just replace ldap for ldaps, and after my first log (I haven't three attempt ), I 'm redirected to this page:
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
In httpd log I have: auth_ldap authenticate: user test authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
In fedora directory server log : SSL connection from 10.50.7.72 to 10.50.7.72 [15/Jun/2006:12:18:04 +0200] conn=308 SSL 256-bit AES [15/Jun/2006:12:18:04 +0200] conn=308 op=-1 fd=68 closed - B1
I have to change an other thing than AuthLDAPURL for SSL???
From: "Graham Leggett" minfrin@sharp.fm Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Mon, 12 Jun 2006 13:28:36 +0200 (SAST)
On Mon, June 12, 2006 12:18 pm, Mickael Besse wrote:
Httpd v 2.0.53
Use the latest v2.2.x. The LDAP support in v2.0.x was experimental, and a lot of rewriting and fixing happened that could not be easily backported to v2.0. When v2.2.0 of httpd was finally released a while back, the LDAP support was no longer experimental.
The v2.2.x httpd should work with SSL, I spent quite a bit of time trying to bend my head around the different LDAP client toolkits to make sure their SSL worked consistently for APR.
Regards, Graham --
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Windows Live Mail : découvrez et testez la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
It's a problem of certificat because if I use: LDAPVerifyServerCert off
It's OK..............
_________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/
I search about this problem of certificat and try several thing, but I have some question:
I use http://httpd.apache.org/docs/2.2/mod/mod_ldap.html
I try to do the same as Netscape/Mozilla/iPlanet SDK
LDAPTrustedGlobalCert CA_CERT7_DB /../slapd-idserver-cert8.db LDAPTrustedClientCert issuerdn
but it doesn't work
I try LDAPTrustedGlobalCert CA_BASE64 /../cert.pem
no change.
I don't know really how to import the CA? My CA is e silf-signed ca create with certutil, is it a probleme?
_________________________________________________________________ Windows Live Mail : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
Mickael Besse wrote:
I search about this problem of certificat and try several thing, but I have some question:
I use http://httpd.apache.org/docs/2.2/mod/mod_ldap.html
I try to do the same as Netscape/Mozilla/iPlanet SDK
LDAPTrustedGlobalCert CA_CERT7_DB /../slapd-idserver-cert8.db LDAPTrustedClientCert issuerdn
but it doesn't work
Which LDAP client library is linked to httpd? Your previous logs implied it was OpenLDAP, not Netscape/Mozilla/iPlanet SDK.
Keep in mind the client LDAP library is unrelated to the server you are using (FDS).
Regards, Graham --
Which LDAP client library is linked to httpd? Your previous logs implied it was OpenLDAP, not Netscape/Mozilla/iPlanet SDK.
Keep in mind the client LDAP library is unrelated to the server you are using (FDS).
Regards, Graham --
The probeme is in logs of httpd 2.2 there is nothing say about which SDK library is linked to httpd? I don't know where I can see that?
_________________________________________________________________ Windows Live Messenger : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60...
Mickael Besse wrote:
The probeme is in logs of httpd 2.2 there is nothing say about which SDK library is linked to httpd? I don't know where I can see that?
If you turn the httpd logging level up to DEBUG, it should say which toolkit it linked to.
Alternatively, if you built it from source, the ./configure line for apr-util will have told you "linking with LDAP library: OpenLDAP" or something similar.
Regards, Graham --
If you turn the httpd logging level up to DEBUG, it should say which toolkit it linked to.
This just say :
[debug] util_ldap.c(1525): LDAP: SSL trusted global cert - ....... (type CA_BASE64) [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(840): [2518] auth_ldap url parse: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(849): [2518] auth_ldap url parse: Host: .. [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(851): [2518] auth_ldap url parse: Port: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(853): [2518] auth_ldap url parse: DN: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(855): [2518] auth_ldap url parse: attrib: ... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(857): [2518] auth_ldap url parse: scope:... [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(862): [2518] auth_ldap url parse: filter: (null) [Tue Jun 20 11:59:04 2006] [debug] mod_authnz_ldap.c(936): LDAP: auth_ldap using SSL connections
Alternatively, if you built it from source, the ./configure line for apr-util will have told you "linking with LDAP library: OpenLDAP" or something similar.
I don't built it from a source, I 've install fedora core 5 and use httpd install with
_________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/
Mickael Besse wrote:
I don't built it from a source, I 've install fedora core 5 and use httpd install with
In that case, chances are it uses OpenLDAP as a client library.
Go to http://httpd.apache.org/docs/2.2/mod/mod_ldap.html and follow the instructions under "OpenLDAP SDK".
Regards, Graham --
thanks every one.
The probleme was that in http.conf I used the IP adresse of FDS in AuthLDAPURL. I must use the fully qualified domain name like the cn attribut of the certificat of FDS.
So it's OK.
_________________________________________________________________ Windows Live Mail : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
Mickael Besse wrote:
thanks every one.
The probleme was that in http.conf I used the IP adresse of FDS in AuthLDAPURL. I must use the fully qualified domain name like the cn attribut of the certificat of FDS.
So it's OK.
Great, glad you got it work!
And thanks for letting us know. All too often mail threads just end and we never know if we helped :-)
cheers
rob
Try ldd /usr/sbin/httpd
Look for the ldap library.
the ldap library is: libldap-2.3.so.0
I try what say http://httpd.apache.org/docs/2.2/mod/mod_ldap.html about OpenLDAP SDK and I 've several error:
Invalid command 'AuthLDAPEnabled' LDAPTrustedClientCert not allowed here (I put it between <Directory "/var/www/html">... </Directory>) Invalid command 'AuthLDAPAuthoritative'
My httpd.conf is :
LDAPTrustedGlobalCert CA_DER /etc/httpd/conf/CAcertificat.der LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/cacertificat.pem (it's the same that CAcertificat.der but in pem format)
LDAPTrustedClientCert CERT_BASE64 /etc/httpd/conf/servcert.pem LDAPTrustedClientCert KEY_BASE64 /etc/httpd/conf/servkey.pem
<Directory "/var/www/html" > AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldaps://*.*.*.*/dc=*,dc=*?uid?sub require valid-user AuthName "bienvenue"
</Directory>
and it doesn't work..
_________________________________________________________________ MSN Hotmail sur i-mode : envoyez et recevez des e-mails depuis votre téléphone portable ! http://www.msn.fr/hotmailimode/
I use ethereal and this what is exchange between apache and FDS:
SSLv2 Client Hello (apache to FDS)
TLS Server Hello, Certificate, Certificate Request, Server Hello Done (FDS to apache)
TLS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (apache to FDS)
TLS Change Cipher Spec, Encrypted Handshake Message (FDS to apache)
TLS Encrypted Alert alert (21) (apache to FDS)
does someone have an idea ??
_________________________________________________________________ Windows Live Messenger : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60...
Mickael Besse wrote:
I use ethereal and this what is exchange between apache and FDS:
SSLv2 Client Hello (apache to FDS)
TLS Server Hello, Certificate, Certificate Request, Server Hello Done (FDS to apache)
TLS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (apache to FDS)
TLS Change Cipher Spec, Encrypted Handshake Message (FDS to apache)
TLS Encrypted Alert alert (21) (apache to FDS)
does someone have an idea ??
I have two:
1. Apache doesn't trust or know about the CA that issued the certificate in FDS.
2. The hostname you are using in your Apache config to connect to the FDS server doesn't match the CN in the certificate subject.
rob
Mickael Besse wrote:
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
It means that some library or system call returned an EOF error code. But that's probably not terribly useful information in diagnosing the problem. If it were me, I'd look at the network traffic (with ethereal or similar tool) to see which end is closing the connection, and to find any other useful information that might show up.
On Fri, Jun 09, 2006 at 10:08:09AM +0000, Mickael Besse wrote:
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered end of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
what format is the LDAPTrustedCA that the apache uses?
Stein
In httpd.conf, I put LDAPTrustedCAType BASE64_FILE In The LDAPTrustedCA there is :
-----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE-----
From: Stein stein@interpost.no Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Fri, 9 Jun 2006 16:03:23 +0200
On Fri, Jun 09, 2006 at 10:08:09AM +0000, Mickael Besse wrote:
In the access log fo FDS there is:
SSL connection from ... to .... [09/Jun/2006:11:57:45 +0200] conn=163 op=-1 fd=77 closed - Encountered
end
of file.
thus , the connection arrives to FDS but it is directly closed. I don't know what means "Encountered end of file" ??
what format is the LDAPTrustedCA that the apache uses?
Stein
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Windows Live Messenger : venez tester la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=0eccd94b-eb48-497c-8e60...
On Fri, Jun 09, 2006 at 02:14:55PM +0000, Mickael Besse wrote:
In httpd.conf, I put LDAPTrustedCAType BASE64_FILE In The LDAPTrustedCA there is :
-----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE-----
i think thats your problem, its the wrong format.
try to export it as a new format: openssl pkcs12 -in casert.p12 -out cert.pem
Stein
I first export ca cert with: ../shared/bin/pk12util -d . -P slapd-serverID- -o cacert.p12 -n "CA certificate"
and then do :
openssl pkcs12 -in cacert.p12 -out cert.pem and change the path of ca not the type (BASE64_FILE) httpd.conf.
But nothing change, i ve got the same error.
From: Stein stein@interpost.no Reply-To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] apache ldap over SSL. Date: Mon, 12 Jun 2006 11:18:51 +0200
On Fri, Jun 09, 2006 at 02:14:55PM +0000, Mickael Besse wrote:
In httpd.conf, I put LDAPTrustedCAType BASE64_FILE In The LDAPTrustedCA there is :
-----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE-----
i think thats your problem, its the wrong format.
try to export it as a new format: openssl pkcs12 -in casert.p12 -out cert.pem
Stein
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
_________________________________________________________________ Windows Live Mail : découvrez et testez la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e...
389-users@lists.fedoraproject.org
-
David Boreham -
Graham Leggett -
Michael.Sangrey@highmark.com -
Mickael Besse -
Rob Crittenden -
Stein