I have the httpd conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/certs/domenCA.crt
<VirtualHost *:80>
ServerName domen.lan
ServerAlias domen domen1
DocumentRoot /var/www/html
<Directory /var/www/html/private1>
AuthName "Members only site"
AuthType basic
require valid-user
AuthBasicProvider ldap
AuthLDAPUrl "ldap://ldap.domen.lan/dc=domen,dc=lan"
# AuthLDAPUrl "ldap://ldap.domen.lan/dc=domen,dc=lan" TLS
</Directory>
</VirtualHost>
When I run next and input the credential, it works fine :
elinks http://domen.lan/private1
then I try TLS (same but TLS on the end of line):
# AuthLDAPUrl "ldap://ldap.domen.lan/dc=domen,dc=lan"
AuthLDAPUrl "ldap://ldap.domen.lan/dc=domen,dc=lan" TLS
It fails to show the page and I get error:
The server encountered an internal error or misconfiguration and was unable to complete your request.
in /var/log/httpd/access_log
:
"GET /private1 HTTP/1.1" 401 381 "-" "ELinks/0.12pre6 (textmode; Linux; 111x64-2)"
"GET /private1 HTTP/1.1" 500 527 "-" "ELinks/0.12pre6 (textmode; Linux; 111x64-2)"
nothing in :
/var/log/messages
/var/log/httpd/error_log
when I run
openssl s_client -connect domen.lan:389 -showcerts -state
I get:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
140597450172320:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
I do not know how can I fix that cert eror.
I have
centos 7.1
openldap-2.4.39-6.el7.x86_64
openldap-clients-2.4.39-6.el7.x86_64
openldap-servers-2.4.39-6.el7.x86_64
httpd-2.4.6-31.el7.centos.x86_64
It seems to work ok if I have TLS_REQCERT allow
in etc/openldap/ldap.conf
but not if I have TLS_REQCERT demand
. I can not figure it out what is happening:
TLS_CACERTDIR /etc/openldap/certs
SASL_NOCANON on
URI ldap://centos7s.domen.lan
BASE dc=domen,dc=lan
host centos7s.domen.lan
#TLS_REQCERT allow
TLS_REQCERT demand
ssl start_tls
TLS_CACERT /etc/openldap/certs/domenCA.crt
Best Answer
Just adding your own sollution as an answer for readability: