Apache 2.2 mod_ldap refusing to work over SSL/TLS
mkhitrov at gmail.com
Thu Nov 19 16:33:26 UTC 2009
Wasted many hours on this and am no closer to a solution. I'm trying
to get apache 2.2 on FreeBSD 7.2 to authenticate against our active
directory (Windows 2003).
The current status is that authentication works without problems when
SSL/TLS are not used. Furthermore, I can establish SSL/TLS connections
to the server and run queries using the ldapsearch tool. Server
certificate verification works without any problems.
The relevant portions of ldap.conf and httpd.conf are identical, so if
I can use SSL and TLS with ldapsearch, there is no reason why it
shouldn't be working from apache. Just to be on the safe side, I've
turned off server certificate verification with 'LDAPVerifyServerCert
So... Unencrypted authentication works, SSL authentication results in
"[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]", and
TLS authentication gives "[LDAP: ldap_start_tls_s() failed][Connect
error]." I had nothing else to go on, so I decided to capture the
packets that are being sent between apache and active directory
servers. I then compared this packet capture with what ldapsearch does
(both using TLS).
In summary, ldapsearch and apache send an identical
LDAP_SERVER_START_TLS_OID command. In both cases, the server responds
with an identical "Result: Status: Success, MatchedDN: NULL,
ErrorMessage: NULL" packet. But while ldapsearch then goes on to the
certificate and key exchange phase, apache responds with
"OperationHeader: Unbind Request, 2(0x2)" and terminates the
As far as I can tell, it doesn't even get to the certificate
verification phase even though the STARTTLS command is successful.
Anyone have a clue on what could be causing this?
More information about the freebsd-questions