Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X
We are working to connect to a new domain within the company and I have all of the right JNDI adapter, domain credentials, paths, filters, etc. working. The problem I'm having is getting Apache to work correctly with LDAPS. The connection works with just the LDAP version of the connection string so I know that my connection information is correct.
We have the root certificates installed at the OS layer and also specified in the httpd-ssl.conf file under Apache. I believe it's a certificate issue because it's working just using LDAP. As soon as I go to LDAPS and the corresponding port, I have the problem.
I'm looking for any guidance that you can offer where I could spot check. I'm sure it's something small at this point but it's eluding me. Thanks.
Solved! Go to Solution.
So, the fix was a simple permissions issue. Apache in Linux was running as root which is correct. The permissions under the Apache folders didn't align to the other server which was working. I was under the assumption that even if there was a different owner:group for the files (i.e. windchill OS user) that the root user would be able to get to whatever files it needed to use. Once I opened up the permissions to match the working server, it's all working fine now. Thanks for the responses.
In order to "talk" to ldaps Apache has to trust the certificate used by the ldaps server. I have the following directives in my Apache configuration in order for it to trust our ssl openldap server running with a self signed certificate:
LDAPTrustedGlobalCert CA_BASE64 conf/certs/gp_ldap_ca.pem
LDAPVerifyServerCert Off
Is anything written to apache's error log when you configure it for LDAPS? If not you could try setting apache's log level to debug. The information in the log should give a clue as to what the problem is.
Here's from the debug output in the error log. The interesting thing here is that the Apache configurations and certificates used are identical between the two user facing nodes in the Linux cluster. There has to be something going on at the OS layer but we can't find any differences.
[Tue Nov 10 08:32:53 2015] [info] [client 10.42.104.98] [28892] auth_ldap authenticate: user jpriest1 authentication failed; URI /Windchill/app/dynaTraceMonitor [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], referer: https://plm.synthes.com/Windchill/app/
That error message isn't too helpful. You could try connecting to the ldap server using openssl's s_client. That will display the details of the handshake with the ldap server and should show where the error is occurring. You can use a command like the below:
openssl s_client -connect <LDAP Server>:636 -state -nbio 2>&1
Joe,
Is the LDAP server Microsoft AD based, if so you can't use 636.
David
Just a thought but, are you sure that port is open? Maybe it is being blocked by a firewall? If you try a openssl client like Chris Spartz sugested and it fails then I would think it is probably a port issue.
Agree with the above responses on confirming the availability of the port being used. Additionally you can also refer the documentation on configuring a secure LDAP with Windchill here.
Hope that helps.
Regards
~Syed
So, the fix was a simple permissions issue. Apache in Linux was running as root which is correct. The permissions under the Apache folders didn't align to the other server which was working. I was under the assumption that even if there was a different owner:group for the files (i.e. windchill OS user) that the root user would be able to get to whatever files it needed to use. Once I opened up the permissions to match the working server, it's all working fine now. Thanks for the responses.