LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache SVN LDAPs (https://www.linuxquestions.org/questions/linux-server-73/apache-svn-ldaps-4175427284/)

keith2045 09-14-2012 01:32 PM

Apache SVN LDAPs
 
I'm having issues configuring apache svn using ldaps.

I have a RHEL 6.2 box with httpd 2.2 running. I've got it configured using ldaps and when browsing using a web browser everything works fine. Authentication works and authorization works also. Great, but when i use any client to checkout i get

svn: not authorized to open root of edit operation

After looking through the log, i noticed

auth_ldap authenticate: user *** authentication failed: URI **** [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

If i turn off LDAPVerifyServerCert it works, but if i leave it on, it cant connect. It's not trusting the certificate, but why? I have LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/ca.crt configured.

So when using a web browser it gets the certs and verifies it's in the ca.crt file, but when using a client it doesnt want to check the ca.crt file.

Any idea why using a client ignoring it ignores the LDAPTrustedGlobalCert line?

Matthew Hardin 10-15-2012 07:26 PM

The most common reason for something like this is that the process (in this case Apache) doesn't have read access to its copy of the CA cert or doesn't have read permissions to the configuration file where the CA Cert is being specified.

One strategy that works well is to run the server in debug mode and watch what it sees during the connection negotiation phase. Assuming you're using OpenLDAP, start the server from the command line with a fairly high debug level. I like to start with -1 (minus 1) and then back off from there. If there's too much output, redirect stderr to a file. DO NOT depend on syslog to capture debug output- it'll get flooded and drop what will likely turn out to be the most important bits.

Assuming openSSL, watch for "certificate verification" or something like that in the output. that'll very likely provide the clue you're looking for.

Hope this helps,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com


All times are GMT -5. The time now is 06:40 AM.