Bug 807491 - LDAPS is not working if LDAPTrustedGlobalCert is defined
LDAPS is not working if LDAPTrustedGlobalCert is defined
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Web Stack Team
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2012-03-27 18:57 EDT by David Hill
Modified: 2013-03-27 08:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-27 08:56:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Hill 2012-03-27 18:57:52 EDT
Description of problem:
LDAPS is not working if LDAPTrustedGlobalCert is defined.

Version-Release number of selected component (if applicable):

How reproducible:
Add this to the httpd.conf file:
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/ssl.crt/cacert.crt
LDAPTrustedMode SSL
#LDAPVerifyServerCert off

Add this to any virtual host:
        AuthType basic
        AuthName "Page: Login/Pass Windows"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL "ldaps://dc.org:3269/DC=org,DC=org?sAMAccountName?sub?(objectClass=user)" SSL
        AuthLDAPBindDN "USER"
        AuthLDAPBindPassword "PASSWORD"

        # Using a "Require ldap-filter" here because "Require ldap-group" only grants access to the immediate group members and does not spawn to subgroups.
        Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=USER,OU=org,DC=org,DC=org

Steps to Reproduce:
1. Configure the environment as cited above
2. Reload apache
3. Try to access the vhost
Actual results:
Can't connect to LDAP server appears in that vhost error log file

Expected results:
Should be working 

Additional info:
The certificate is signed by our internal CA but as soon as I set the LDAPTrustedGlobalCert parameter, it stops working.  I must absolutely uncomment/delete the line starting with LDAPTrustedGlobalCert  ...

The only way to get it working is to set it like what's below:
#LDAPTrustedGlobalCert blah
LDAPTrustedMode SSL
LDAPVerifyServerCert off
Comment 1 Jan Kaluža 2012-06-26 08:55:07 EDT

I was trying to reproduce it and it works correctly for me. Can you please to try this command to verify it's really caused by httpd and not by possible LDAP misconfiguration?

LDAPTLS_CACERT=/etc/httpd/conf/ssl.crt/cacert.crt ldapsearch -H ldaps://dc.org:3269 -x -D USER -w PASSWORD

If it won't work, please add "-d1" and send me the output please.
Comment 2 Jan Kaluža 2013-03-27 08:56:03 EDT
We've been unable to reproduce this internally; I'm closing this bug.  If you have further issues please contact Red Hat Support for assistance.

Note You need to log in before you can comment on or make changes to this bug.