The Unwashed Meme » ldap http://the.unwashedmeme.com/blog Just a few bad ideas. Tue, 25 Jan 2011 18:34:52 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 mod_ldap LDAPVerifyServerCert simple bind failed http://the.unwashedmeme.com/blog/2008/08/08/mod_ldap-ldapverifyservercert-simple-bind-failed/ http://the.unwashedmeme.com/blog/2008/08/08/mod_ldap-ldapverifyservercert-simple-bind-failed/#comments Fri, 08 Aug 2008 20:29:17 +0000 UnwashedMeme http://the.unwashedmeme.com/blog/?p=58 We’ve been working for a long time to resolve an error in our ldap setup. Whenever we tried to use the LDAPVerifyServerCert option to verify the ldap server we were talking to is correct, it didn’t work. Always failed with the unhelpful error:

[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

We had set the appropriate CA cert with the LDAPTrustedGlobalCert option. We could use openssl s_client to verify the certificate chain.  We couldn’t figure out why it didn’t work; it was always just simple bind failed.

I finally found it today: The certificate file needs to be readable by others. Aparently the apache process reads that file separately than the rest of the config. SSL certificates for mod_ssl appear to be fine to only have root read on it, but not the LDAPTrustedGlobalCert.  It would’ve been nice if the log message had said something like “Permission denied reading …” or even just “Couldn’t read certificate.”  Unfortunately it falls back to the most generic error there.

]]> http://the.unwashedmeme.com/blog/2008/08/08/mod_ldap-ldapverifyservercert-simple-bind-failed/feed/ 1