Red Hat Bugzilla – Bug 807491
LDAPS is not working if LDAPTrustedGlobalCert is defined
Last modified: 2013-03-27 08:56:03 EDT
Description of problem:
LDAPS is not working if LDAPTrustedGlobalCert is defined.
Version-Release number of selected component (if applicable):
Add this to the httpd.conf file:
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/ssl.crt/cacert.crt
Add this to any virtual host:
AuthName "Page: Login/Pass Windows"
AuthLDAPURL "ldaps://dc.org:3269/DC=org,DC=org?sAMAccountName?sub?(objectClass=user)" SSL
# Using a "Require ldap-filter" here because "Require ldap-group" only grants access to the immediate group members and does not spawn to subgroups.
Require ldap-filter memberof:1.2.840.1135188.8.131.521:=CN=USER,OU=org,DC=org,DC=org
Steps to Reproduce:
1. Configure the environment as cited above
2. Reload apache
3. Try to access the vhost
Can't connect to LDAP server appears in that vhost error log file
Should be working
The certificate is signed by our internal CA but as soon as I set the LDAPTrustedGlobalCert parameter, it stops working. I must absolutely uncomment/delete the line starting with LDAPTrustedGlobalCert ...
The only way to get it working is to set it like what's below:
I was trying to reproduce it and it works correctly for me. Can you please to try this command to verify it's really caused by httpd and not by possible LDAP misconfiguration?
LDAPTLS_CACERT=/etc/httpd/conf/ssl.crt/cacert.crt ldapsearch -H ldaps://dc.org:3269 -x -D USER -w PASSWORD
If it won't work, please add "-d1" and send me the output please.
We've been unable to reproduce this internally; I'm closing this bug. If you have further issues please contact Red Hat Support for assistance.