Discussion:
Communicate from php/apache to openLDAP over LDAPS
Jérémy ESCOLANO
2010-06-10 08:57:12 UTC
Permalink
Hi

I'm writing from france cuz i'm having a big problem with apache and ldap.
let me explain :

I would like to make an Apache server communicate in php with en openLDAP
server (both servers are under win srv 2003), using LDAPS protocol.

In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self
signed certificates with openSSL. I got 3 files:


cacert.pem
srvLDAP.pem
srvLDAP.key


I configured my slapd.con file and ldap.conf fil (openLDAP side) like this:

slapd.conf

TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem


ldap.conf
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand



I launched my openLDAP service, and checked ldaps protocol was okay, using
this command :



C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/


Now I would like, from the remote apache server, communicate with the
openLDAP server using [b]LDAPS[/b] Protocol.

Here is my simplified PHP code

<h2>LDAP OPENLDAP LDAPS</h2>
<?php


$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>

I get this errror:


Unable to bind to server: Can't contact LDAP server


I know i have to configure certificates in the Apache server configuration,
I tried to to this according several internet ressources but didn't succeed.
I also read this link [URL="
http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm"]Here[/URL]
which is a french link which speak about an ldap.con and ldaprc files to put
in the apache server. I did it but nothing happened.

Well, i'm lost in all this stuff, that is why i'm asking for help to
configure my servers to use ldaps with php.

Do you have information that could help me ?

I thank you in advance
Thierry Lacoste
2010-06-10 11:02:11 UTC
Permalink
Seems to me that the $host variable is incorrect : should be
$host="srvLDAP"

HTH,
Thierry
Post by Jérémy ESCOLANO
Hi
I'm writing from france cuz i'm having a big problem with apache and
I would like to make an Apache server communicate in php with en
openLDAP server (both servers are under win srv 2003), using LDAPS
protocol.
In order to activate LDAPS on my openLDAP srv (srvLDAP), I created
cacert.pem
srvLDAP.pem
srvLDAP.key
slapd.conf
TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem
ldap.conf
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand
I launched my openLDAP service, and checked ldaps protocol was okay,
C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/
Now I would like, from the remote apache server, communicate with
the openLDAP server using [b]LDAPS[/b] Protocol.
Here is my simplified PHP code
<h2>LDAP OPENLDAP LDAPS</h2>
<?php
$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>
Unable to bind to server: Can't contact LDAP server
I know i have to configure certificates in the Apache server
configuration, I tried to to this according several internet
ressources but didn't succeed. I also read this link [URL="http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm
"]Here[/URL] which is a french link which speak about an ldap.con
and ldaprc files to put in the apache server. I did it but nothing
happened.
Well, i'm lost in all this stuff, that is why i'm asking for help to
configure my servers to use ldaps with php.
Do you have information that could help me ?
I thank you in advance
Jérémy ESCOLANO
2010-06-10 12:08:53 UTC
Permalink
I tried to put host="srvLDAP" but it still doesn't work

Actually the problem is configuring my APACHE server to make it considerate
theses certificate.
I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
where to have to put :

TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT demand

but how can we specify it on apache server ?
Thanks
Post by Thierry Lacoste
Seems to me that the $host variable is incorrect : should be
$host="srvLDAP"
HTH,
Thierry
Hi
I'm writing from france cuz i'm having a big problem with apache and ldap.
I would like to make an Apache server communicate in php with en openLDAP
server (both servers are under win srv 2003), using LDAPS protocol.
In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self
cacert.pem
srvLDAP.pem
srvLDAP.key
slapd.conf
TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem
ldap.conf
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand
I launched my openLDAP service, and checked ldaps protocol was okay, using
C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/
Now I would like, from the remote apache server, communicate with the
openLDAP server using [b]LDAPS[/b] Protocol.
Here is my simplified PHP code
<h2>LDAP OPENLDAP LDAPS</h2>
<?php
$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>
Unable to bind to server: Can't contact LDAP server
I know i have to configure certificates in the Apache server configuration,
I tried to to this according several internet ressources but didn't succeed.
I also read this link [URL="
http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm"]Here[/URL]
which is a french link which speak about an ldap.con and ldaprc files to put
in the apache server. I did it but nothing happened.
Well, i'm lost in all this stuff, that is why i'm asking for help to
configure my servers to use ldaps with php.
Do you have information that could help me ?
I thank you in advance
Howard Chu
2010-06-10 18:34:07 UTC
Permalink
Post by Jérémy ESCOLANO
I tried to put host="srvLDAP" but it still doesn't work
Actually the problem is configuring my APACHE server to make it considerate
theses certificate.
I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT demand
but how can we specify it on apache server ?
Ask on an Apache forum.
Post by Jérémy ESCOLANO
Thanks
Seems to me that the $host variable is incorrect : should be $host="srvLDAP"
HTH,
Thierry
Post by Jérémy ESCOLANO
Hi
I'm writing from france cuz i'm having a big problem with apache and
I would like to make an Apache server communicate in php with en
openLDAP server (both servers are under win srv 2003), using LDAPS protocol.
In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self
cacert.pem
srvLDAP.pem
srvLDAP.key
slapd.conf
TLSCertificateFile ./ssl/srvLDAP.pem
TLSCertificateKeyFile ./ssl/srvLDAP.key
TLSCACertificateFile ./ssl/cacert.pem
ldap.conf
BASE <ma branche>
URI ldaps://srvLDAP/
TLS_CACERT ./ssl/cacert.pem
TLS_REQCERT demand
I launched my openLDAP service, and checked ldaps protocol was okay,
C:\Program Files\OpenLDAP>ldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D
cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/
Now I would like, from the remote apache server, communicate with the
openLDAP server using [b]LDAPS[/b] Protocol.
Here is my simplified PHP code
<h2>LDAP OPENLDAP LDAPS</h2>
<?php
$host="ldaps://srvldap";
$port="636";
$ds=ldap_connect($host,$port);
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$r=ldap_bind($ds,"cn=admin,o=exemple,dc=fr","pass" );
$sr=ldap_search($ds,"o=exemplec,dc=fr",("objectClass=maclasse" ));
$info=ldap_get_entries($ds,$sr);
print $info["count"]." enregistrements trouvés.";
?>
Unable to bind to server: Can't contact LDAP server
I know i have to configure certificates in the Apache server
configuration, I tried to to this according several internet ressources
but didn't succeed. I also read this link
[URL="http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm"]Here[/URL]
which is a french link which speak about an ldap.con and ldaprc files to
put in the apache server. I did it but nothing happened.
Well, i'm lost in all this stuff, that is why i'm asking for help to
configure my servers to use ldaps with php.
Do you have information that could help me ?
I thank you in advance
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Indexer
2010-06-11 01:01:05 UTC
Permalink
Post by Howard Chu
Post by Jérémy ESCOLANO
I tried to put host="srvLDAP" but it still doesn't work
Actually the problem is configuring my APACHE server to make it considerate
theses certificate.
I know there is a ldap.conf in the openLDAP directory (on openLDAP server)
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT demand
but how can we specify it on apache server ?
Ask on an Apache forum.
You are probably correct in that you should be asking on an Apache forum. But anyway, here is a copy of my working apache config


LDAPTrustedClientCert CERT_BASE64 /usr/local/share/certs/cacert.pem
LDAPTrustedClientCert CERT_DER /usr/local/share/certs/cacert.crt
LDAPTrustedMode TLS

<Directory /usr/local/www/nagios>
Order deny,allow
Deny from all
Allow from all
AllowOverride none
php_flag engine on
php_admin_value open_basedir /usr/local/www/nagios/:/var/spool/nagios/

######
#<LDAP>
######

AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserAttribute uid
AuthLDAPURL ldap://ldap.chocolate.lan/ou=Users,dc=chocolate,dc=lan?uid?sub
#Require ldap-user william
AuthLDAPDereferenceAliases never
AuthLDAPGroupAttribute memberUid
Require group
Require ldap-group cn=nagios,ou=Apache,ou=Nemo,ou=Group,dc=chocolate,dc=lan
AuthType Basic
AuthName "Nagios"

######
#</LDAP>
######

</Directory>

Also, a useful tool is, it tells you the current state of the ldap cache on the server.

<Location /server/cache-info>
SetHandler ldap-status
</Location>

This is currently setup for group based authentication. remember that your group memberUid needs to be the full DN of the user, rather than just the uid. Your certificates also need to be readable by the apache user, and you only need the cacert.
Post by Howard Chu
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Jérémy ESCOLANO
2010-06-11 08:53:59 UTC
Permalink
Hi, Thankyou for replying,

I went a bit deeper with my problem, I can now do LDAPS but without
verifying certificate,
here is what I did :

on the openLDAP server:

--->slapd.conf
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never

--->ldap.conf
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never

Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1

That's all for the openLDAP server, but not enought with apache.

On the apache server I created a folder C:\openldap\sysconf
in this directory i created openldap.conf and this contains :

TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never

(with cacert.cer in c:\openldap\sysconf\ssl)

It works from now BUT does NOT verify the certificate.

I got certificate and key to my Apache server, but I need now to specify it
in apache so that apache will give the certificate to the openldap while
doing LDAPS.

I know i have to change TLS_REQCERT never to TLS_REQCERT demand, I did it,
and on openLDAP server I have this following error :

connection_read(1176): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(1176): got connid=0
connection_read(1176): checking for input on id=0
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return
a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176

The question is now : How can I configure my certificate on apache SERVER so
that I will be able to do LDAPS with PHP and certificates will be verified.
(I know should ask it on Apache list too)

Thank you in advance for all you help, and thank you for the help you
already gave me.
Post by Jérémy ESCOLANO
Post by Howard Chu
Post by Jérémy ESCOLANO
I tried to put host="srvLDAP" but it still doesn't work
Actually the problem is configuring my APACHE server to make it
considerate
Post by Howard Chu
Post by Jérémy ESCOLANO
theses certificate.
I know there is a ldap.conf in the openLDAP directory (on openLDAP
server)
Post by Howard Chu
Post by Jérémy ESCOLANO
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT demand
but how can we specify it on apache server ?
Ask on an Apache forum.
You are probably correct in that you should be asking on an Apache forum.
But anyway, here is a copy of my working apache config
LDAPTrustedClientCert CERT_BASE64 /usr/local/share/certs/cacert.pem
LDAPTrustedClientCert CERT_DER /usr/local/share/certs/cacert.crt
LDAPTrustedMode TLS
<Directory /usr/local/www/nagios>
Order deny,allow
Deny from all
Allow from all
AllowOverride none
php_flag engine on
php_admin_value open_basedir /usr/local/www/nagios/:/var/spool/nagios/
######
#<LDAP>
######
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserAttribute uid
AuthLDAPURL
ldap://ldap.chocolate.lan/ou=Users,dc=chocolate,dc=lan?uid?sub
#Require ldap-user william
AuthLDAPDereferenceAliases never
AuthLDAPGroupAttribute memberUid
Require group
Require ldap-group
cn=nagios,ou=Apache,ou=Nemo,ou=Group,dc=chocolate,dc=lan
AuthType Basic
AuthName "Nagios"
######
#</LDAP>
######
</Directory>
Also, a useful tool is, it tells you the current state of the ldap cache on the server.
<Location /server/cache-info>
SetHandler ldap-status
</Location>
This is currently setup for group based authentication. remember that your
group memberUid needs to be the full DN of the user, rather than just the
uid. Your certificates also need to be readable by the apache user, and you
only need the cacert.
Post by Howard Chu
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Dieter Kluenter
2010-06-11 09:47:29 UTC
Permalink
Am Fri, 11 Jun 2010 10:53:59 +0200
Post by Jérémy ESCOLANO
Hi, Thankyou for replying,
I went a bit deeper with my problem, I can now do LDAPS but without
verifying certificate,
--->slapd.conf
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
--->ldap.conf
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
That's all for the openLDAP server, but not enought with apache.
On the apache server I created a folder C:\openldap\sysconf
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
(with cacert.cer in c:\openldap\sysconf\ssl)
It works from now BUT does NOT verify the certificate.
[...]
Post by Jérémy ESCOLANO
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return
a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176
The question is now : How can I configure my certificate on apache
SERVER so that I will be able to do LDAPS with PHP and certificates
will be verified. (I know should ask it on Apache list too)
bear in mind that apache is a ldap client operation, thus configure
ldap clients to verify the server certificate and not the server to
verfiy a client certificate.

-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Jérémy ESCOLANO
2010-06-11 09:57:09 UTC
Permalink
According to what's you are saying,
Apache has to verify which certificate ? the CA certificate ? the apache
server certificate or the ldap certificate?
Thank you for your information that help me to understand better.
Post by Dieter Kluenter
Am Fri, 11 Jun 2010 10:53:59 +0200
Post by Jérémy ESCOLANO
Hi, Thankyou for replying,
I went a bit deeper with my problem, I can now do LDAPS but without
verifying certificate,
--->slapd.conf
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
--->ldap.conf
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
That's all for the openLDAP server, but not enought with apache.
On the apache server I created a folder C:\openldap\sysconf
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
(with cacert.cer in c:\openldap\sysconf\ssl)
It works from now BUT does NOT verify the certificate.
[...]
Post by Jérémy ESCOLANO
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return
a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176
The question is now : How can I configure my certificate on apache
SERVER so that I will be able to do LDAPS with PHP and certificates
will be verified. (I know should ask it on Apache list too)
bear in mind that apache is a ldap client operation, thus configure
ldap clients to verify the server certificate and not the server to
verfiy a client certificate.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Indexer
2010-06-11 12:29:10 UTC
Permalink
Post by Jérémy ESCOLANO
According to what's you are saying,
Apache has to verify which certificate ? the CA certificate ? the apache
server certificate or the ldap certificate?
Thank you for your information that help me to understand better.
It should be the ldap CA certificate in this case, as apache needs to be aware of the LDAP CA.
Post by Jérémy ESCOLANO
Post by Dieter Kluenter
Am Fri, 11 Jun 2010 10:53:59 +0200
Post by Jérémy ESCOLANO
Hi, Thankyou for replying,
I went a bit deeper with my problem, I can now do LDAPS but without
verifying certificate,
--->slapd.conf
TLSCertificateFile ./ssl2/srvLDAP.cer
TLSCertificateKeyFile ./ssl2/srvLDAP.key
TLSCACertificateFile ./ssl2/cacert.cer
TLSVerifyClient never
--->ldap.conf
TLS_CACERT ./ssl2/cacert.cer
TLS_REQCERT never
Then ran my service using: slapd -h "ldap:/// ldaps:///" -d 1
That's all for the openLDAP server, but not enought with apache.
On the apache server I created a folder C:\openldap\sysconf
TLS_CACERT ./ssl/cacert.cer
TLS_REQCERT never
(with cacert.cer in c:\openldap\sysconf\ssl)
It works from now BUT does NOT verify the certificate.
[...]
Post by Jérémy ESCOLANO
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return
a certificate s3_srvr.c:2471
connection_read(1176): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=1176 for close
connection_close: conn=0 sd=1176
The question is now : How can I configure my certificate on apache
SERVER so that I will be able to do LDAPS with PHP and certificates
will be verified. (I know should ask it on Apache list too)
bear in mind that apache is a ldap client operation, thus configure
ldap clients to verify the server certificate and not the server to
verfiy a client certificate.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Dieter Kluenter
2010-06-11 12:58:47 UTC
Permalink
According to what's you are saying, Apache has to verify which
certificate ? the CA certificate ? the apache server certificate or
the ldap certificate? Thank you for your information that help me to
understand better.
[...]

As a client operation to ldap, apache has to verify the ldap server
certificate by using the signing certificate authority.
That's why the CA has to be provided to clients and clients have to be
told to request the server certificate.

-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Jérémy ESCOLANO
2010-06-11 14:03:22 UTC
Permalink
I see, so I need to configure the Apache server to make it able verify the
ldap server certificate by using the certificate authority.
That is what I don't know how to do it.
If it can help, here is the error I get :

SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr:2471

Thanks
Post by Dieter Kluenter
According to what's you are saying, Apache has to verify which
certificate ? the CA certificate ? the apache server certificate or
the ldap certificate? Thank you for your information that help me to
understand better.
[...]
As a client operation to ldap, apache has to verify the ldap server
certificate by using the signing certificate authority.
That's why the CA has to be provided to clients and clients have to be
told to request the server certificate.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Dieter Kluenter
2010-06-11 14:57:45 UTC
Permalink
Post by Jérémy ESCOLANO
I see, so I need to configure the Apache server to make it able verify
the ldap server certificate by using the certificate authority. That
is what  I don't know how to do it. If it can help, here is the error
SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
s3_srvr:2471
You have configured slapd to request a client certificate which the
client does not provide, just set TLSVerifyClient never in slapd.conf
and TLS_REQCERT try (or demand) in ldap.conf or any other client
configuration file.

-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Howard Chu
2010-06-11 19:09:59 UTC
Permalink
Post by Dieter Kluenter
Post by Jérémy ESCOLANO
I see, so I need to configure the Apache server to make it able verify
the ldap server certificate by using the certificate authority. That
is what I don't know how to do it. If it can help, here is the error
SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
s3_srvr:2471
You have configured slapd to request a client certificate which the
client does not provide, just set TLSVerifyClient never in slapd.conf
and TLS_REQCERT try (or demand) in ldap.conf or any other client
configuration file.
Just don't specify TLS_REQCERT at all in ldap.conf. The default is demand and
should not be changed.

In all of this thread no one has asked or stated what version of OpenLDAP is
being used...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Loading...