After upgrading a machine from fedora 13 to fedora 14 (with all updates), I was suddenly unable to get its httpd to authenticate with my LDAP servers. After connecting my browser to the web server with https, and typing in my username and password, I get an Internal Server Error response. My configuration is:
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/ca-bundle.crt LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.asc <Directory /var/www/html/ssl> AuthType Basic AuthName "User Login" AuthBasicProvider ldap AuthLDAPURL "ldap://serv1.foo.org serv2.foo.org/dc=foo,dc=org" TLS AuthzLDAPAuthoritative off require valid-user SSLOptions +StrictRequire SSLRequireSSL </Directory> The httpd debugging log shows: auth_ldap authenticate: user XXXX authentication failed; URI /ssl/staff/index.shtml [LDAP: ldap_start_tls_s() failed][Connect error] Changing AuthLDAPURL to use SSL instead of TLS also fails but with: [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] tcpdump shows that the httpd client connects to the LDAP server, and is sent: Start TLSrequest accepted Server willing to negotiate SSL but no certificate info is exchanged and the client quickly closes the connection. Changing AuthLDAPURL to use NONE makes it connect successfully. serv1 uses a cert purchased from GoDaddy, and serv2 uses a self signed cert (which is /etc/openldap/cacerts/cacert.asc). Both servers are 389-ds. Both certs mentioned in LDAPTrustedGlobalCert are valid and world readable. ldapsearch is able to connect to both servers with TLS. On another machine with the same httpd configuration, but still at fedora 13, httpd is able to connect securely even without the LDAPTrustedGlobalCert lines. As a side note, after upgrading to fedora 14, I had to add tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt to /etc/nss_ldap.conf and /etc/pam_ldap.conf and also add TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt to /etc/openldap/ldap.conf in order to get those to work. Under fedora 13, everything worked without those lines. I don't know if this is a problem with httpd's mod_authnz_ldap or its mod_ldap or with openldap, or just a configuration mistake on my part, but it used to work before the upgrade. I have searched all over for an answer to this problem because I can't believe that I am the only one having it, but I have found nothing. I welcome any ideas.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
