Description of problem: LDAPS is not working if LDAPTrustedGlobalCert is defined. Version-Release number of selected component (if applicable): How reproducible: Add this to the httpd.conf file: LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/conf/ssl.crt/cacert.crt LDAPTrustedMode SSL #LDAPVerifyServerCert off Add this to any virtual host: AuthType basic AuthName "Page: Login/Pass Windows" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldaps://dc.org:3269/DC=org,DC=org?sAMAccountName?sub?(objectClass=user)" SSL AuthLDAPBindDN "USER" AuthLDAPBindPassword "PASSWORD" # Using a "Require ldap-filter" here because "Require ldap-group" only grants access to the immediate group members and does not spawn to subgroups. Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=USER,OU=org,DC=org,DC=org Steps to Reproduce: 1. Configure the environment as cited above 2. Reload apache 3. Try to access the vhost Actual results: Can't connect to LDAP server appears in that vhost error log file Expected results: Should be working Additional info: The certificate is signed by our internal CA but as soon as I set the LDAPTrustedGlobalCert parameter, it stops working. I must absolutely uncomment/delete the line starting with LDAPTrustedGlobalCert ... The only way to get it working is to set it like what's below: #LDAPTrustedGlobalCert blah LDAPTrustedMode SSL LDAPVerifyServerCert off
Hi, I was trying to reproduce it and it works correctly for me. Can you please to try this command to verify it's really caused by httpd and not by possible LDAP misconfiguration? LDAPTLS_CACERT=/etc/httpd/conf/ssl.crt/cacert.crt ldapsearch -H ldaps://dc.org:3269 -x -D USER -w PASSWORD If it won't work, please add "-d1" and send me the output please.
We've been unable to reproduce this internally; I'm closing this bug. If you have further issues please contact Red Hat Support for assistance.