Setting "TLS_REQCERT allow" in /etc/ldap/ldap.conf solved my problem. Tomorrow, for additional security, I will try to implement the certificate checking via "TLS_CACERT" option.
Thank you very much Clément and excuse me for not using the mailing list. -- Mirko Iodice 2011/4/10 Clément OUDOT <clem.ou...@gmail.com> > > 2011/4/10 Mirko Iodice <m.iod...@gmail.com>: > > Hi Clément, > > first of all I want to thank you for the Self Service Password tool, It > > seems to be the perfect way to let my web services users to change their > > password. > > I'm writing you because I'm trying to use it for the first time to change my > > Active Directory user's passwords, I tried everything but I always get the > > "Cannot access to LDAP directory" error message. > > I hope you can help me out to find what is going wrong here. > > > > Apache log file report this error: "[error] [client 127.0.0.1] LDAP - Bind > > error -1 (Can't contact LDAP server), referer: http://localhost/"; > > Is there a way to get more verbose errors? > > > > I have enabled LDAPS on my Windows 2008 Domain Controller and configured > > "config.inc.php" like this: > > > > $ldap_url = "ldaps://dc2008.domain.lan"; > > $ldap_binddn = "cn=usermanager,cn=users,dc=domain,dc=lan"; > > $ldap_bindpw = "password"; > > $ldap_base = "ou=test,dc=domain,dc=lan"; > > $ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))"; > > > > # Active Directory mode > > # true: use unicodePwd as password field > > # false: LDAPv3 standard behavior > > $ad_mode = true; > > > > Attached to this mail you can find the packet capture, it seems that at some > > point the Apache2 server closes the ldaps connection for some reason. > > Thanks in advance for your support. > > > > Hi Mirko, > > first, you should use the user mailing list, as your question > certainly interest other people. > > It seems there is a problem in the SSL connection. Have you configured > your PHP installation to check the certificate against the CA, or to > ignore the certificate? See > http://ltb-project.org/wiki/documentation/self-service-password/0.5/config_ldap#server_address > > The other thing I see is the "Certificate Request" in the SSL Server > Hello message, which might mean that the server is configured to > authenticate the client with a certificate. > > Clément. _______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org http://lists.ltb-project.org/listinfo/ltb-users
