Apache+LDAP auth on Ubuntu says “Can’t contact LDAP server” while ldapsearch is perfect

Posted on

Apache+LDAP auth on Ubuntu says “Can’t contact LDAP server” while ldapsearch is perfect – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about apache-2.2, ldap, , , .

I’m migrating from an existing apache+LDAP+mysql+php server to a new hardware platform. Old server is running Debian Lenny, which I have no config documentation available (was done by previous sysadmin); New server is running Ubuntu 10.04.2 LTS 32bit.

After installing Apache and configured LDAP client on the new server, ldapsearch to the LDAP master (another dedicated server) returns results just fine. However, when using apache with https, logs complain that “Can’t contact LDAP server”.

I’m authenticating using ldaps and can confirm that 636 port is open on the LDAP master. I can’t understand why apache would fail while regular ldapsearch is working!

Below is part of the virtualhost config:

<Directory />
                Options FollowSymLinks
                AllowOverride None
                #AuthLDAPEnabled on
                AuthType Basic
                AuthBasicProvider ldap
                AuthName "Private"
                AuthLDAPURL ldaps://master.ldap.organisation.com:636/ou=people,dc=organisation,dc=com?uid
                AuthzLDAPAuthoritative off
                require valid-user
                AddType application/x-httpd-php .php .phtml
                <IfModule mod_php4.c>
                        php_flag magic_quotes_gpc Off
                        php_flag track_vars On
                        php_value include_path .

Any help/suggestion is very much appreciated!

Solution :

You need to tell Apache to trust the LDAP server’s certificate.

See this.

ldapsearch (and other ldap* binaries) are from the OpenLDAP toolkit. The reason ldapsearch works (and Apache doesn’t) is that the previous sysadmin must have placed the certificate the LDAP server is using (or the CA certificate that issued the LDAP server’s certificate) into the location the OpenLDAP tools look for certs – generally this is /etc/openldap/cacerts, but it is somewhat distro-dependent.

Go look in that directory.

Once you’ve found the right certificate, use the mod_ldap directive (see here) to point to it. Place this directive before your LDAP configuration. For example:

If it’s the LDAP server’s client certificate:

LDAPTrustedGlobalCert CERT_BASE64 /etc/openldap/cacerts/ldap-server.pem

If it’s the certificate of the CA that signed the LDAP server’s certificate:

LDAPTrustedGlobalCert CERT_CA /etc/openldap/cacerts/ldap-cacert.pem

Use the OpenSSL command line tool to inspect the certificate to determine which it is:

openssl x509 -in /path/to/cert.pem -noout -text

There are bugs in libgcrypt11 that cause issues with using GnuTLS 2.10.* or older and those can be worked-around by running nscd on the LDAP client.

sudo apt-get install nscd

With GnuTLS 2.11.* or later the preferred crypto backend changed to nettle. For Ubuntu 12.04 see this bug report:


Leave a Reply

Your email address will not be published.