Apache LDAPS connection to AD not working

Question

I am trying to set up LDAPS with apache, so that users logging in to my site will be authenticated against my AD, and that this auth traffic is itself encrypted.

Apache is version 2.2.15 running on Red Hat 6.2

AD is on Windows 2008 R2

This all works with plain LDAP, it's just when I try to get it to work with LDAPS it fails.

Running a wireshark trace, I can see the TCP handshake, ([SYN],[SYN, ACK],[ACK]), then there is an 8 second delay where I would expect the ClientHello to come in, but it doesn't happen.

I just get a [FIN, ACK] from the apache side as the TCP connection is torn down.

So, how do I start troubleshooting this?

In my apache conf, I have added

LDAPTrustedGlobalCert CA_BASE64 /path/to/my/orgs/root/cert LDAPVerifyServerCert On|Off #tried both LDAPTrustedMode SSL|TLS #tried both

in my ldap url, I have changed the ldap:// to ldaps:// and changed the port I am connecting to

Have tried port 636 and 3269 (global catalogue SSL)

Error log is showing [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

No firewall is up (iptables, windows firewall or intermediate hw fw), so there should be no traffic restrictions.

Any ideas?

Answer 1

IF you are using 'ldaps://ip address.......' in your ldap url try 'ldaps://full hostname.......'

Answer 2

I found that the file permissions were too restrictive in the cert file pointed to by "LDAPTrustedGlobalCert"

However, with "LDAPVerifyServerCert Off", I thought reading of that root cert would be bypassed, and I wouldn't need to worry about permissions?

No matter, it's fixed now