Ldap – Apache+LDAP auth on Ubuntu says “Can’t contact LDAP server” while ldapsearch is perfect

I'm migrating from an existing apache+LDAP+mysql+php server to a new hardware platform. Old server is running Debian Lenny, which I have no config documentation available (was done by previous sysadmin); New server is running Ubuntu 10.04.2 LTS 32bit.

After installing Apache and configured LDAP client on the new server, ldapsearch to the LDAP master (another dedicated server) returns results just fine. However, when using apache with https, logs complain that "Can't contact LDAP server".

I'm authenticating using ldaps and can confirm that 636 port is open on the LDAP master. I can't understand why apache would fail while regular ldapsearch is working!

Below is part of the virtualhost config:

<Directory />
                Options FollowSymLinks
                AllowOverride None
                #AuthLDAPEnabled on
                AuthType Basic
                AuthBasicProvider ldap
                AuthName "Private"
                AuthLDAPURL ldaps://master.ldap.organisation.com:636/ou=people,dc=organisation,dc=com?uid
                AuthzLDAPAuthoritative off
                require valid-user
                AddType application/x-httpd-php .php .phtml
                <IfModule mod_php4.c>
                        php_flag magic_quotes_gpc Off
                        php_flag track_vars On
                        php_value include_path .
                </IfModule>
        </Directory>

Any help/suggestion is very much appreciated!

Best Answer

You need to tell Apache to trust the LDAP server's certificate.

See this.

ldapsearch (and other ldap* binaries) are from the OpenLDAP toolkit. The reason ldapsearch works (and Apache doesn't) is that the previous sysadmin must have placed the certificate the LDAP server is using (or the CA certificate that issued the LDAP server's certificate) into the location the OpenLDAP tools look for certs - generally this is /etc/openldap/cacerts, but it is somewhat distro-dependent.

Go look in that directory.

Once you've found the right certificate, use the mod_ldap directive (see here) to point to it. Place this directive before your LDAP configuration. For example:

If it's the LDAP server's client certificate:

LDAPTrustedGlobalCert CERT_BASE64 /etc/openldap/cacerts/ldap-server.pem

If it's the certificate of the CA that signed the LDAP server's certificate:

LDAPTrustedGlobalCert CERT_CA /etc/openldap/cacerts/ldap-cacert.pem

Use the OpenSSL command line tool to inspect the certificate to determine which it is:

openssl x509 -in /path/to/cert.pem -noout -text

Best Answer

Related Solutions

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Linux – can’t figure out why apache LDAP auth fails

Related Topic