cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - When posting, your subject should be specific and summarize your question. Here are some additional tips on asking a great question. X

Linux, Apache and LDAPS connection questions

JoePriest
10-Marble

Linux, Apache and LDAPS connection questions

We are working to connect to a new domain within the company and I have all of the right JNDI adapter, domain credentials, paths, filters, etc. working.  The problem I'm having is getting Apache to work correctly with LDAPS.  The connection works with just the LDAP version of the connection string so I know that my connection information is correct. 

We have the root certificates installed at the OS layer and also specified in the httpd-ssl.conf file under Apache.  I believe it's a certificate issue because it's working just using LDAP.  As soon as I go to LDAPS and the corresponding port, I have the problem.

I'm looking for any guidance that you can offer where I could spot check.  I'm sure it's something small at this point but it's eluding me.  Thanks.

ACCEPTED SOLUTION

Accepted Solutions

So, the fix was a simple permissions issue.  Apache in Linux was running as root which is correct.  The permissions under the Apache folders didn't align to the other server which was working.  I was under the assumption that even if there was a different owner:group for the files (i.e. windchill OS user) that the root user would be able to get to whatever files it needed to use.  Once I opened up the permissions to match the working server, it's all working fine now.  Thanks for the responses.

View solution in original post

8 REPLIES 8
RandyJones
19-Tanzanite
(To:JoePriest)

In order to "talk" to ldaps Apache has to trust the certificate used by the ldaps server. I have the following directives in my Apache configuration in order for it to trust our ssl openldap server running with a self signed certificate:

LDAPTrustedGlobalCert CA_BASE64 conf/certs/gp_ldap_ca.pem

LDAPVerifyServerCert Off

ChrisSpartz
13-Aquamarine
(To:JoePriest)

Is anything written to apache's error log when you configure it for LDAPS? If not you could try setting apache's log level to debug. The information in the log should give a clue as to what the problem is.

Here's from the debug output in the error log.  The interesting thing here is that the Apache configurations and certificates used are identical between the two user facing nodes in the Linux cluster.  There has to be something going on at the OS layer but we can't find any differences. 

[Tue Nov 10 08:32:53 2015] [info] [client 10.42.104.98] [28892] auth_ldap authenticate: user jpriest1 authentication failed; URI /Windchill/app/dynaTraceMonitor [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], referer: https://plm.synthes.com/Windchill/app/

ChrisSpartz
13-Aquamarine
(To:JoePriest)

That error message isn't too helpful. You could try connecting to the ldap server using openssl's s_client. That will display the details of the handshake with the ldap server and should show where the error is occurring. You can use a command like the below:

openssl s_client -connect <LDAP Server>:636 -state -nbio 2>&1

Joe,

Is the LDAP server Microsoft AD based, if so you can't use 636.

David

breed
12-Amethyst
(To:JoePriest)

Just a thought but, are you sure that port is open? Maybe it is being blocked by a firewall? If you try a openssl client like Chris Spartz sugested and it fails then I would think it is probably a port issue.

PLMer
2-Explorer
(To:JoePriest)

Agree with the above responses on confirming the availability of the port being used. Additionally you can also refer the documentation on configuring a secure LDAP with Windchill here.

Hope that helps.

Regards
~Syed

So, the fix was a simple permissions issue.  Apache in Linux was running as root which is correct.  The permissions under the Apache folders didn't align to the other server which was working.  I was under the assumption that even if there was a different owner:group for the files (i.e. windchill OS user) that the root user would be able to get to whatever files it needed to use.  Once I opened up the permissions to match the working server, it's all working fine now.  Thanks for the responses.

Announcements


Top Tags