[Bug 66490] New: ldap_simple_bind fails with "Can't contact LDAP server" when using ldaps on OpenLDAP

Sat, 25 Feb 2023 08:13:32 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66490

            Bug ID: 66490
           Summary: ldap_simple_bind fails with "Can't contact LDAP
                    server" when using ldaps on OpenLDAP
           Product: Apache httpd-2
           Version: 2.4.54
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authnz_ldap
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Hi,

When enabling ldaps for basic auth on a virtual host, I get these errors:

[Sat Feb 25 15:41:29.574636 2023] [authnz_ldap:debug] [pid 96357:tid
123171499845376] mod_authnz_ldap.c(548): [client 10.0.0.12:54546] AH01691:
auth_ldap authenticate: using URL
ldaps://ldap.hostname/ou=users,dc=domain,dc=org?uid?sub?(objectClass=posixAccount)
[Sat Feb 25 15:41:29.612716 2023] [authnz_ldap:info] [pid 96357:tid
123171499845376] [client 10.0.0.12:54546] AH01695: auth_ldap authenticate: user
REDACTED authentication failed; URI / [LDAP: ldap_simple_bind() failed][Can't
contact LDAP server]

This is the config snippet:
        <Location />
               AuthBasicProvider ldap
               AuthLDAPURL
ldaps://ldap.hostname/ou=users,dc=domain,dc=org?uid?sub?(objectClass=posixAccount)
               #AuthLDAPRemoteUserAttribute cn
               AuthLDAPInitialBindAsUser  on
               AuthLDAPInitialBindPattern (.+) cn=$1,ou=users,dc=domain,dc=org
               Require valid-user
        </Location>

When I use ldap:// scheme instead of ldaps, it works as expected.

The hostname ldap.hostname is defined in /etc/hosts and resolves to 127.0.0.1.
When I try to connect locally with ldapsearch using ldaps:// URI it works too,
be it with ldaps://ldap.hostname/ or ldaps://127.0.0.1/
$ ldapsearch -H ldaps://ldap.hostname/ -b "ou=users,dc=domain,dc=org" -D
"cn=webserver,ou=users,dc=domain,dc=org" -W "(objectClass=posixAccount)"
...
# search result
search: 3
result: 0 Success

When stracing the Apache processes, I see a few occurrences of these:
[pid 96407] connect(45, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in
progress)
[pid 96407] poll([{fd=45, events=POLLOUT|POLLERR|POLLHUP}], 1, 10000) = 1
([{fd=45, revents=POLLOUT}])
[pid 96407] getpeername(45, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("127.0.0.1")}, [128->16]) = 0
[pid 96407] fcntl(45, F_GETFL)          = 0x802 (flags O_RDWR|O_NONBLOCK)
[pid 96407] fcntl(45, F_SETFL, O_RDWR)  = 0
[pid 96407] shutdown(45, SHUT_RDWR)     = 0
[pid 96407] close(45)                   = 0

I'm using Debian version 2.4.54-1~deb11u1 of Apache2 server.

Any ideas on what I could have missed here?
Thank you!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to