Reputation: 33
Subversion Apache2.2 LDAPS authentication failed
OS: Redhat Linux Subversion: 1.5.0 Apache: 2.2.17
httpd.conf:
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location /svn>
DAV svn
SVNParentPath /home/svnroot/repository
AuthzSVNAccessFile /home/svnroot/repository/svn_access_file
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectClass=*)" SS
L
AuthName "Subversion.resository"
Require valid-user
</Location>
Apache error_log:
[Thu Feb 24 16:48:00 2011] [debug] mod_authnz_ldap.c(403): [client 10.1.85.181] [25242] auth_ldap a
uthenticate: using URL ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectCl
ass=*)
[Thu Feb 24 16:48:00 2011] [info] [client 10.1.85.181] [25242] auth_ldap authenticate: user jinjian
kang authentication failed; URI /svn [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
ping master.ldap.ebupt.com is OK.
My FTP LDAPS authentication is OK as below:
server:master.ldap.ebupt.com
port:636
Enable SSL:checked
Base DN:ou=staff,dc=ebupt,dc=com
anonymous:checked
Search Filter:(objectClass=*)
User DN attribute:uid
Search scope:subtree
Upvotes: 2
Views: 8840
Answers (1)
Reputation: 501
"Can't contact LDAP server" can mean a bunch of things, but if your LDAP server is reachable and you're using simple bind over SSL as you are here, it means Apache doesn't trust the certificate the LDAP server is presenting.
You need to tell Apache about the certificate so that it can create the SSL connection.
This section of the Apache docs is what you need: http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#usingssltls
The best way to do this is to obtain the CA certificate from the CA that signed the certificate on your LDAP servers, and use the LDAPTrustedGlobalCert directive. An example, from one of my boxes:
LDAPTrustedGlobalCert CERT_BASE64 /etc/openldap/cacerts/cacert.pem
How you go about obtaining the CA cert varies; my LDAP servers are running certs signed by our own CA, so I can easily get the CA cert. Your setup may be different; consult whoever looks after your LDAP server.
You can also obtain the certificate that the LDAP server presents using the OpenSSL tools:
openssl s_client -connect your.ldap.host:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
That'll display the certificate. Copy everything (including BEGIN CERTIFICATE and END CERTIFICATE) into a file.
Now add the directive:
LDAPTrustedGlobalCert CERT_BASE64 /path/to/your/cert/file
to the top of your Apache configuration. Restart Apache, and you're done.
Upvotes: 4
Related Questions
- Can't authenticate Subversion user using Apache and LDAP
- Subversion+Apache authz not authorizing
- Subversion Server Using Active Directory error
- PHP SVN with LDAP authentication
- Apache SVN Authorize to Active Directory Group
- Subversion Server Using Active Directory
- SVN with LDAP authentication not working
- Apache LDAP Authentication Redmine
- Setting up Apache and Subversion to use LDAP (Windows Active Directory) group authentication
- Use LDAP for SVN user authentication