Apache mod auth_ldap won't work if ssl turned on

Question

Here is the full story with details below, I'd appreciate any suggestions.

I have a web server that I need to enable apache auth with ldap to certain resources. I also have openldap server that I can authenticate with. The openldap has both ports 389 and 636 enabled and there is a self signed cert installed on openldap. The web server has openldap client configured and can ID users. If I test connection to openldap from web server using this string:

openssl s_client -connect openldapserverIP:636 -showcerts

I getting response with all correct info.

In the web server config I've added this:

<Directory /www/protect>
Order deny,allow
Deny from All
AuthName "identity"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPUrl ldap://openldapIP/ou=People,dc=mydomain,dc=org?uid
AuthLDAPBindDN "cn=ldapreadonlyuser,dc=mydomain,dc=org"
AuthLDAPBindPassword "somethinghere"
AuthLDAPGroupAttribute memberUid
Require ldap-attribute  myAttribute=800
Require ldap-attribute myAttribute=820
Satisfy any
LogLevel debug
</Directory>

and it works.

Then if I enable secure connection, changing the connection string to:

AuthLDAPUrl ldaps://openldapIP/ou=People,dc=mydomain,dc=org?uid TLS

or

AuthLDAPUrl ldap://openldapIP:636/ou=People,dc=mydomain,dc=org?uid TLS

it does not work.

Here is the error log:

auth_ldap authenticate: user x authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] (not authoritative)

Thanks in advance!

Answer 1

Put your CA cert and ldap servers cert in /etc/pki/mycerts/certs-bundle.pem and add parameter LDAPTrustedGlobalCert CA_BASE64 /etc/pki/mycerts/certs-bundle.pem to your httpd.conf

Answer 2

You need to use

LDAPVerifyServerCert Off

at a global level in your Apache configuration. That's because your certificate is self-signed.