LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD

Hello,
we are enabling LDAP auth on our apache stack. Starting from
apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .

The configure line we used for apache is:

$ ./configure --prefix=/usr/local/apache --mandir=/path/to/man
--with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all
--enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap

and the one for php is:

../configure --prefix=/usr/local/php --mandir=/usr/local/php/man
--with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs
--with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash
--with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib
--with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt
--enable-shared=max --enable-mbstring --enable-inline-optimization
--enable-magic-quotes --enable-sigchild --enable-soap
--enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib
--with-png-dir=/usr/lib --with-freetype-dir=/usr/lib

Build and install went fine.

We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
into /etc/openldap/ldap.conf .

And now starts the problem :( We configured httpd.conf to contain

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
...
LDAPVerifyServerCert Off

Then we set a dir with .htaccess similar to this:

AuthType Basic
AuthName ""
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN uid=,ou=,ou=,dc=,dc=
AuthLDAPBindPassword
AuthLDAPURL ldaps://

RE: LDAP: ldap_set_option failed. Could not setLDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD

> -----Message d'origine-----
> De=A0: Sandro Tosi [mailto:sandro.tosi@register.it]
> Envoyé : lundi 2 novembre 2009 11:17
> À : users@httpd.apache.org
> Objet=A0: [users@httpd] LDAP: ldap_set_option failed. Could not set
> LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
>=20
> Hello,
> we are enabling LDAP auth on our apache stack. Starting from
> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>=20
> The configure line we used for apache is:
>=20
> $ ./configure --prefix=3D/usr/local/apache --mandir=3D/path/to/man
> --with-ssl=3D/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=3Dall
> --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
>=20
> and the one for php is:
>=20
> ./configure --prefix=3D/usr/local/php --mandir=3D/usr/local/php/man
> --with-mysql=3D/path/to/mysql --with-apxs2=3D/usr/local/apache/bin/apxs
> --with-oci8=3D/shared/oracle/OraHome1 --with-curl --with-mhash
> --with-imap=3D/path/to/imap-2007b --with-openssl --with-gd --with-zlib
> --with-ttf --with-t1lib --with-mcrypt=3D/path/to/libmcrypt
> --enable-shared=3Dmax --enable-mbstring --enable-inline-optimization
> --enable-magic-quotes --enable-sigchild --enable-soap
> --enable-gd-native-ttf --with-jpeg-dir=3D/usr/lib --with-xpm-dir=3D/usr/l=
ib
> --with-png-dir=3D/usr/lib --with-freetype-dir=3D/usr/lib
>=20
> Build and install went fine.
>=20
> We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
> into /etc/openldap/ldap.conf .
>=20
> And now starts the problem :( We configured httpd.conf to contain
>=20
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> ...
> LDAPVerifyServerCert Off
>=20
> Then we set a dir with .htaccess similar to this:
>=20
> AuthType Basic
> AuthName ""
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative Off
> AuthLDAPBindDN uid=3D,ou=3D,ou=3D,dc=3D,dc=3D
> AuthLDAPBindPassword
> AuthLDAPURL ldaps://

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Emmanuel Bailleul wrote:
> Hi,
>
> Did you try your LDAPS connection with ldapsearch first ? (sth like ldapsearch -H -x ...).
>
Sorry I didn't mentioned: yes, I have tested, and with ldapsearch it
works fine (using the name address and not the IP address)
> An important thing : when calling your ldap server, do use the resolved name rather than the IP. You can even add it in your hosts file if needed.
>
I use the name address and not the IP address. Do you think that's the
problem? I think it doesn't even try to connect to the ldap server.
Anyhow, I gave it a try, and same error come.
> Two other things :
> - what king of ldap server are u using ?
>
it's "OpenLDAP server (slapd) version 2.4.11-1" (Debian Lenny).
> - when building, are you sure you did not have several ssl toolkits/versions installed ? Can you confirm httpd has been built with the correct one (I just remember having made this mistake once and having to build with an option like "--with-ssl= I actually used "--with-ssl=/path/to/openssl-0.9.8g-16052008". But, hey,
now that I look at it, in the error.log I see:

[Mon Nov 02 11:26:54 2009] [info] mod_ssl/2.2.14 compiled against
Server: Apache/2.2.14, Library: OpenSSL/0.9.7e

WTH?! why is using 0.9.7e while I told him to link against 0.9.8g?

Infact

# strings modules/mod_ssl.so | grep '0.9.7' | wc -l
33

Could that be the problem? Any suggestion how to fix that? Other to look?

Thanks a lot,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: LDAP: ldap_set_option failed. Could not setLDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD

> -----Message d'origine-----
> De=A0: Sandro Tosi [mailto:sandro.tosi@register.it]
> Envoyé : lundi 2 novembre 2009 12:01
> À : users@httpd.apache.org
> Objet=A0: Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
> LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
>=20
> Emmanuel Bailleul wrote:
> > Hi,
> >
> > Did you try your LDAPS connection with ldapsearch first ? (sth like
> ldapsearch -H -x ...).
> >
> Sorry I didn't mentioned: yes, I have tested, and with ldapsearch it
> works fine (using the name address and not the IP address)
> > An important thing : when calling your ldap server, do use the
> resolved name rather than the IP. You can even add it in your hosts
> file if needed.
> >
> I use the name address and not the IP address. Do you think that's the
> problem? I think it doesn't even try to connect to the ldap server.
> Anyhow, I gave it a try, and same error come.
> > Two other things :
> > - what king of ldap server are u using ?
> >
> it's "OpenLDAP server (slapd) version 2.4.11-1" (Debian Lenny).
> > - when building, are you sure you did not have several ssl
> toolkits/versions installed ? Can you confirm httpd has been built with
> the correct one (I just remember having made this mistake once and
> having to build with an option like "--with-ssl=3D > openssl-dir") ?
> I actually used "--with-ssl=3D/path/to/openssl-0.9.8g-16052008". But,
> hey,
> now that I look at it, in the error.log I see:
>=20
> [Mon Nov 02 11:26:54 2009] [info] mod_ssl/2.2.14 compiled against
> Server: Apache/2.2.14, Library: OpenSSL/0.9.7e
>=20
> WTH?! why is using 0.9.7e while I told him to link against 0.9.8g?
>=20
> Infact
>=20
> # strings modules/mod_ssl.so | grep '0.9.7' | wc -l
> 33
>=20
> Could that be the problem? Any suggestion how to fix that? Other to
> look?
>=20
> Thanks a lot,
> Sandro
>=20

I don't think that how mod_ssl was built has anything to do with your ldaps=
problems, but as you could see in https://issues.apache.org/bugzilla/show_=
bug.cgi?id=3D41041 , the error you mentioned could clearly be due to differ=
ent libs used at compile time and at run time. Maybe you could try to follo=
w the suggestions described in this thread in order to recompile mod_authnz=
_ldap with the original openssl toolkit ?

Emmanuel

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

> I don't think that how mod_ssl was built has anything to do with your ldaps problems, but as you could see in https://issues.apache.org/bugzilla/show_bug.cgi?id=41041 , the error you mentioned could clearly be due to different libs used at compile time and at run time. Maybe you could try to follow the suggestions described in this thread in order to recompile mod_authnz_ldap with the original openssl toolkit ?
>

I recompiled apache linking with OpenSSL 0.9.8g, and it claims it uses it:

[Mon Nov 02 13:51:47 2009] [notice] Apache/2.2.14 (Unix) mod_ssl/2.2.14
OpenSSL/0.9.8g configured

but the problem is still there :(

The post you mention (I've already raed it) is referring to Solaris
linker; I'm on Linux, and ld only knows of 0.9.8:

# ldconfig -p | grep -i libssl
libssl.so.0 (libc6) => /usr/lib/libssl.so.0
libssl.so (libc6) => /usr/lib/libssl.so

# ls -l /usr/lib/libssl.so.0
lrwxrwxrwx ... /usr/lib/libssl.so.0 -> libssl.so.0.9.8

What else can I do? Thanks a lot for the support :) ,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set

> I think there's something related to SSL and how recent apache (it seems
> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
> httpd.conf and set explicitly "SSLEngine On" where needed (while before it
> was a bit implicitly).

This version is where SNI came in, but I have a hard time buying that
you never had "SSLEngine on" in any context.

Can you apply this patch and generate debugging info from the SDK?

http://people.apache.org/~covener/ldap_debug/

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Eric Covener wrote:
>> I think there's something related to SSL and how recent apache (it seems
>> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
>> httpd.conf and set explicitly "SSLEngine On" where needed (while before it
>> was a bit implicitly).
>>
>
> This version is where SNI came in, but I have a hard time buying that
> you never had "SSLEngine on" in any context.
>
No no, we had them, but not in every context (at least one in each
config file, but not in each vhost that needs that).
> Can you apply this patch and generate debugging info from the SDK?
>
> http://people.apache.org/~covener/ldap_debug/
>
Thanks a lot for the patch! I applied (against 2.2.14 tarball code) it
but then apache fails to build:

make[4]: Entering directory `/path/to/src/httpd-2.2.14/modules/ldap'
/path/to/src/httpd-2.2.14/srclib/apr/libtool --silent --mode=compile gcc
-g -O2 -pthread -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -I/path/to/src/httpd-2.2.14/srclib/pcre -I.
-I/path/to/src/httpd-2.2.14/os/unix
-I/path/to/src/httpd-2.2.14/server/mpm/prefork
-I/path/to/src/httpd-2.2.14/modules/http
-I/path/to/src/httpd-2.2.14/modules/filters
-I/path/to/src/httpd-2.2.14/modules/proxy
-I/path/to/src/httpd-2.2.14/include
-I/path/to/src/httpd-2.2.14/modules/generators
-I/path/to/src/httpd-2.2.14/modules/mappers
-I/path/to/src/httpd-2.2.14/modules/database
-I/path/to/src/httpd-2.2.14/srclib/apr/include
-I/path/to/src/httpd-2.2.14/srclib/apr-util/include
-I/path/to/src/httpd-2.2.14/server
-I/path/to/src/httpd-2.2.14/modules/proxy/../generators
-I/path/to/openssl-0.9.8g-16052008/include
-I/path/to/src/httpd-2.2.14/modules/ssl
-I/path/to/src/httpd-2.2.14/modules/dav/main -prefer-pic -c util_ldap.c
&& touch util_ldap.slo
util_ldap.c: In function 'util_ldap_merge_config':
util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c: In function 'util_ldap_post_config':
util_ldap.c:2053: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:2054: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:2058: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c: In function 'util_ldap_set_debug_level':
util_ldap.c:2080: error: 'util_ldap_state_t' has no member named
'debug_level'
make[4]: *** [util_ldap.slo] Error 1
make[4]: Leaving directory `/path/to/src/httpd-2.2.14/modules/ldap'
make[3]: *** [shared-build-recursive] Error 1
make[3]: Leaving directory `/path/to/src/httpd-2.2.14/modules/ldap'
make[2]: *** [shared-build-recursive] Error 1
make[2]: Leaving directory `/path/to/src/httpd-2.2.14/modules'
make[1]: *** [shared-build-recursive] Error 1
make[1]: Leaving directory `/path/to/src/httpd-2.2.14'
make: *** [all-recursive] Error 1

Thanks for your help,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set

> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
> 'debug_level'

I probably missed a file in the 2.2.x diff, will followup here when
patch is updated.

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set

On Mon, Nov 2, 2009 at 9:20 AM, Eric Covener wrote:
>> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
>> 'debug_level'
>
> I probably missed a file in the 2.2.x diff, =A0will followup here when
> patch is updated.


updated at http://people.apache.org/~covener/ldap_debug/2.2.x-ldap_debu g-2.=
diff

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Eric Covener wrote:
> On Mon, Nov 2, 2009 at 9:20 AM, Eric Covener wrote:
>
>>> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
>>> 'debug_level'
>>>
>> I probably missed a file in the 2.2.x diff, will followup here when
>> patch is updated.
>>
>
>
> updated at http://people.apache.org/~covener/ldap_debug/2.2.x-ldap_debu g-2.diff
>
>
Yeah, I was looking at util_ldap.h right when you sent the updated patch :)

Apache builds fine this time, but the info doesn't seems much more
verbose than before (with debug level on):

[Mon Nov 02 15:50:12 2009] [debug] mod_authnz_ldap.c(972): [14305]
auth_ldap url parse: `ldaps:// address>/dc=,dc=?uid?sub?(objectClass=*)', Host: address>, Port: 636, DN: dc=,dc=, attrib: uid, scope: subtree,
filter: (objectClass=*), connection mode: using SSL
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(972): [14309]
auth_ldap url parse: `ldaps:// address>/dc=,dc=?uid?sub?(objectClass=*)', Host: address>, Port: 636, DN: dc=,dc=, attrib: uid, scope: subtree,
filter: (objectClass=*), connection mode: using SSL
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps:// server IP address>/dc=,dc=?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [warn] [client 127.0.0.1] [14309] auth_ldap
authenticate: user authentication failed; URI /index.html
[LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to
LDAP_OPT_X_TLS_HARD][Operations error]

Should I enable something in openssl? We configured it with
"--prefix=/path/to/openssl-0.9.8g-16052008 linux-elf".

Thanks again for the support,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set

On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi wrote:
> Apache builds fine this time, but the info doesn't seems much more verbose
> than before (with debug level on):

Did you set the directive mentioned in the HTML and check your main
server errorlog?


--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Eric Covener wrote:
> On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi wrote:
>
>> Apache builds fine this time, but the info doesn't seems much more verbose
>> than before (with debug level on):
>>
>
> Did you set the directive mentioned in the HTML and check your main
> server errorlog?
>
Yeah, sorry I didn't mentioned that, I enabled that option in httpd.conf
(while the vhost I'm using in another config file).

In the main error.log I can see several

[Mon Nov 02 16:25:41 2009] [debug] util_ldap.c(1995): LDAP merging
Shared Cache conf: shm=0x811b0f8 rmm=0x811b128 for VHOST: localhost

one for each vhost, and then this

[Mon Nov 02 16:25:41 2009] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Mon Nov 02 16:25:41 2009] [info] LDAP: SSL support available
[Mon Nov 02 16:25:41 2009] [notice] Apache/2.2.14 (Unix) mod_ssl/2.2.14
OpenSSL/0.9.8g configured -- resuming normal operations
[Mon Nov 02 16:25:41 2009] [info] Server built: Nov 2 2009 15:32:03
[Mon Nov 02 16:25:41 2009] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)

Nothing else LDAP related, not even when getting the 500.

Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Hello Eric (and others),
do you have any other ideas about what I can look or test about this
issue? I'm really out of ideas and I don't know what else to do.

Thanks a lot in advance,
Sandro

Sandro Tosi wrote:
> Eric Covener wrote:
>
>> On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi wrote:
>>
>>
>>> Apache builds fine this time, but the info doesn't seems much more verbose
>>> than before (with debug level on):
>>>
>>>
>> Did you set the directive mentioned in the HTML and check your main
>> server errorlog?
>>
>>
> Yeah, sorry I didn't mentioned that, I enabled that option in httpd.conf
> (while the vhost I'm using in another config file).
>
> In the main error.log I can see several
>
> [Mon Nov 02 16:25:41 2009] [debug] util_ldap.c(1995): LDAP merging
> Shared Cache conf: shm=0x811b0f8 rmm=0x811b128 for VHOST: localhost
>
> one for each vhost, and then this
>
> [Mon Nov 02 16:25:41 2009] [info] APR LDAP: Built with OpenLDAP LDAP SDK
> [Mon Nov 02 16:25:41 2009] [info] LDAP: SSL support available
> [Mon Nov 02 16:25:41 2009] [notice] Apache/2.2.14 (Unix) mod_ssl/2.2.14
> OpenSSL/0.9.8g configured -- resuming normal operations
> [Mon Nov 02 16:25:41 2009] [info] Server built: Nov 2 2009 15:32:03
> [Mon Nov 02 16:25:41 2009] [debug] prefork.c(1013): AcceptMutex: sysvsem
> (default: sysvsem)
>
> Nothing else LDAP related, not even when getting the 500.
>
> Sandro
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Sandro Tosi wrote:
> Hello,
> we are enabling LDAP auth on our apache stack. Starting from
> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>

Just to give more information in order to (hopefully) solve this, the
same problem happens also using apache 2.2.9 (recompiled to enable ldap
and authnz_ldap).

HTH,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set

On Wed, Nov 4, 2009 at 9:45 AM, Sandro Tosi wrote:
> Sandro Tosi wrote:
>>
>> Hello,
>> we are enabling LDAP auth on our apache stack. Starting from
>> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>>
>
> Just to give more information in order to (hopefully) solve this, the same
> problem happens also using apache 2.2.9 (recompiled to enable ldap and
> authnz_ldap).

Any chance your PHP is causing some other LDAP library to be loaded?
Same symptom without mod_php?


--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Eric Covener wrote:
> On Wed, Nov 4, 2009 at 9:45 AM, Sandro Tosi wrote:
>
>> Sandro Tosi wrote:
>>
>>> Hello,
>>> we are enabling LDAP auth on our apache stack. Starting from
>>> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>>>
>>>
>> Just to give more information in order to (hopefully) solve this, the same
>> problem happens also using apache 2.2.9 (recompiled to enable ldap and
>> authnz_ldap).
>>
>
> Any chance your PHP is causing some other LDAP library to be loaded?
> Same symptom without mod_php?
>
Oh god you're right! removing the load of php from apache (and
commenting almost every virtualhost than default), LDAP auth is working!!

Now, running

# ldd modules/libphp5.so | egrep "ldap|ssl|sas"
libssl.so.0 => /usr/X11R6/lib/libssl.so.0 (0xb725d000)

and

# ldd modules/mod_ldap.so | egrep "ldap|ssl|sas"
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb804b000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7eb1000)
libssl.so.0 => /usr/lib/libssl.so.0 (0xb7e71000)

could the problem be the different libssl (and I really don't know why
they're different)? in particular because libphp is loaded _before_
mod_ldap ?

Regards,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Hello Eric,
do you have some other suggestions on this topic? We're open to any
input or test you'd like us to do.

Thanks in advance,
Sandro

Sandro Tosi wrote:
> Eric Covener wrote:
>
>> On Wed, Nov 4, 2009 at 9:45 AM, Sandro Tosi wrote:
>>
>>
>>> Sandro Tosi wrote:
>>>
>>>
>>>> Hello,
>>>> we are enabling LDAP auth on our apache stack. Starting from
>>>> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>>>>
>>>>
>>>>
>>> Just to give more information in order to (hopefully) solve this, the same
>>> problem happens also using apache 2.2.9 (recompiled to enable ldap and
>>> authnz_ldap).
>>>
>>>
>> Any chance your PHP is causing some other LDAP library to be loaded?
>> Same symptom without mod_php?
>>
>>
> Oh god you're right! removing the load of php from apache (and
> commenting almost every virtualhost than default), LDAP auth is working!!
>
> Now, running
>
> # ldd modules/libphp5.so | egrep "ldap|ssl|sas"
> libssl.so.0 => /usr/X11R6/lib/libssl.so.0 (0xb725d000)
>
> and
>
> # ldd modules/mod_ldap.so | egrep "ldap|ssl|sas"
> libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb804b000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7eb1000)
> libssl.so.0 => /usr/lib/libssl.so.0 (0xb7e71000)
>
> could the problem be the different libssl (and I really don't know why
> they're different)? in particular because libphp is loaded _before_
> mod_ldap ?
>
> Regards,
> Sandro
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLSto LDAP_OPT_X_TLS_HARD

Just to follow this up for people that might have the same problem: it
turns out it was because

- php was *not* compiled with ldap options
- php was loaded *before* mod_ldap and modp_authnz_ldap

A simple solution was to import mod_{authnz,}_ldap before php. The right
solution though is to add

--with-ldap-sasl --with-ldap

configure options to php. After that, in any order the above modules are
imported, apache and LDAP can communicate and authenticate users.

Thanks,
Sandro

Sandro Tosi wrote:
> Hello,
> we are enabling LDAP auth on our apache stack. Starting from
> apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
>
> The configure line we used for apache is:
>
> $ ./configure --prefix=/usr/local/apache --mandir=/path/to/man
> --with-ssl=/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=all
> --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
>
> and the one for php is:
>
> ./configure --prefix=/usr/local/php --mandir=/usr/local/php/man
> --with-mysql=/path/to/mysql --with-apxs2=/usr/local/apache/bin/apxs
> --with-oci8=/shared/oracle/OraHome1 --with-curl --with-mhash
> --with-imap=/path/to/imap-2007b --with-openssl --with-gd --with-zlib
> --with-ttf --with-t1lib --with-mcrypt=/path/to/libmcrypt
> --enable-shared=max --enable-mbstring --enable-inline-optimization
> --enable-magic-quotes --enable-sigchild --enable-soap
> --enable-gd-native-ttf --with-jpeg-dir=/usr/lib --with-xpm-dir=/usr/lib
> --with-png-dir=/usr/lib --with-freetype-dir=/usr/lib
>
> Build and install went fine.
>
> We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
> into /etc/openldap/ldap.conf .
>
> And now starts the problem :( We configured httpd.conf to contain
>
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> ...
> LDAPVerifyServerCert Off
>
> Then we set a dir with .htaccess similar to this:
>
> AuthType Basic
> AuthName ""
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative Off
> AuthLDAPBindDN uid=,ou=,ou=,dc=,dc=
> AuthLDAPBindPassword
> AuthLDAPURL ldaps://

RE: LDAP: ldap_set_option failed. Could not setLDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD

> -----Message d'origine-----
> De=A0: Sandro Tosi [mailto:sandro.tosi@register.it]
> Envoyé : vendredi 13 novembre 2009 16:49
> À : users@httpd.apache.org
> Objet=A0: Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
> LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
>=20
> Just to follow this up for people that might have the same problem: it
> turns out it was because
>=20
> - php was *not* compiled with ldap options
> - php was loaded *before* mod_ldap and modp_authnz_ldap
>=20
> A simple solution was to import mod_{authnz,}_ldap before php. The right
> solution though is to add
>=20
> --with-ldap-sasl --with-ldap
>=20
> configure options to php. After that, in any order the above modules are
> imported, apache and LDAP can communicate and authenticate users.
>=20
> Thanks,
> Sandro
>=20
> Sandro Tosi wrote:
> > Hello,
> > we are enabling LDAP auth on our apache stack. Starting from
> > apache/2.2.9+php/5.2.8 we are upgrading to apache/2.2.14+php/5.2.11 .
> >
> > The configure line we used for apache is:
> >
> > $ ./configure --prefix=3D/usr/local/apache --mandir=3D/path/to/man
> > --with-ssl=3D/path/to/openssl-0.9.8g-16052008 --enable-mods-shared=3Dal=
l
> > --enable-ssl --enable-so --with-ldap --enable-authnz-ldap --enable-ldap
> >
> > and the one for php is:
> >
> > ./configure --prefix=3D/usr/local/php --mandir=3D/usr/local/php/man
> > --with-mysql=3D/path/to/mysql --with-apxs2=3D/usr/local/apache/bin/apxs
> > --with-oci8=3D/shared/oracle/OraHome1 --with-curl --with-mhash
> > --with-imap=3D/path/to/imap-2007b --with-openssl --with-gd --with-zlib
> > --with-ttf --with-t1lib --with-mcrypt=3D/path/to/libmcrypt
> > --enable-shared=3Dmax --enable-mbstring --enable-inline-optimization
> > --enable-magic-quotes --enable-sigchild --enable-soap
> > --enable-gd-native-ttf --with-jpeg-dir=3D/usr/lib --with-xpm-dir=3D/usr=
/lib
> > --with-png-dir=3D/usr/lib --with-freetype-dir=3D/usr/lib
> >
> > Build and install went fine.
> >
> > We also installed openldap-client-2.3.27 and set "TLS_REQCERT never"
> > into /etc/openldap/ldap.conf .
> >
> > And now starts the problem :( We configured httpd.conf to contain
> >
> > LoadModule ldap_module modules/mod_ldap.so
> > LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> > ...
> > LDAPVerifyServerCert Off
> >
> > Then we set a dir with .htaccess similar to this:
> >
> > AuthType Basic
> > AuthName ""
> > AuthBasicProvider ldap
> > AuthzLDAPAuthoritative Off
> > AuthLDAPBindDN uid=3D,ou=3D,ou=3D,dc=3D,dc=3D
> > AuthLDAPBindPassword
> > AuthLDAPURL ldaps://