[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion Apache2.2 LDAPS authentication failed

From: 金健康 <jinjiankang1980_at_gmail.com>
Date: Thu, 3 Mar 2011 17:22:35 +0800

Question has been resolved.

LDAPTrustedGlobalCert CA_BASE64 /path/to/your/cert/file

OR

#LDAPTrustedGlobalCert CA_BASE64 /path/to/your/cert/file
LDAPVerifyServerCert Off # default value is On

Thanks.

2011/3/1 Feldhacker, Chris <Feldhacker.Chris_at_principal.com>:
> -----Original Message-----
> From: 金健康 [mailto:jinjiankang1980_at_gmail.com]
> Sent: Friday, February 25, 2011 12:53 AM
> To: users_at_subversion.apache.org
> Subject: Subversion Apache2.2 LDAPS authentication failed
>
> Hi,
>
> OS: Redhat Linux
> Subversion: 1.5.0
> Apache: 2.2.17
> OpenLDAP: 2.3.27
>
> httpd.conf:
> ...
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> <Location /svn>
> DAV svn
> SVNParentPath /home/svnroot/repository
> AuthzSVNAccessFile /home/svnroot/repository/svn_access_file
> AuthType Basic
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthLDAPURL "ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectClass=*)"
> SS
> L
> AuthName "Subversion.resository"
> Require valid-user
> </Location>
> ...
>
> Apache error_log:
>
> [Thu Feb 24 16:48:00 2011] [debug] mod_authnz_ldap.c(403): [client 10.1.85.181] [25242] auth_ldap a
> uthenticate: using URL
> ldaps://master.ldap.ebupt.com:636/OU=staff,DC=ebupt,DC=com?uid?sub?(objectCl
> ass=*)
> [Thu Feb 24 16:48:00 2011] [info] [client 10.1.85.181] [25242] auth_ldap authenticate: user jinjian kang authentication failed; URI /svn [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>
> ping master.ldap.ebupt.com is OK.
>
> My FTP LDAPS authentication is OK as below:
> server:master.ldap.ebupt.com
> port:636 Enable
> SSL:checked
> Base DN:ou=staff,dc=ebupt,dc=com
> anonymous bind:checked
> Search Filter:(objectClass=*)
> User DN attribute:uid
> Search scope:subtree
>
> Thanks.
> Jin Jiankang
> ============================
>
>
> I don't see any "LDAPTrustedGlobalCert" entries that tell Apache how to verify the server certificate...  Have you defined any in the config file?
> http://httpd.apache.org/docs/2.2/mod/mod_ldap.html
>
> Otherwise, you could also try adding this directive to see if it has any affect:
> LDAPVerifyServerCert Off
>
> Other than checking to verify the host name matches what's in the certificate, and making sure the CAs are setup, you could also check out this message:
> http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=395193
>
> FWIW!
>
>
>
>
>
>
>
> -----Message Disclaimer-----
>
> This e-mail message is intended only for the use of the individual or
> entity to which it is addressed, and may contain information that is
> privileged, confidential and exempt from disclosure under applicable law.
> If you are not the intended recipient, any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by
> reply email to Connect_at_principal.com and delete or destroy all copies of
> the original message and attachments thereto. Email sent to or from the
> Principal Financial Group or any of its member companies may be retained
> as required by law or regulation.
>
> Nothing in this message is intended to constitute an Electronic signature
> for purposes of the Uniform Electronic Transactions Act (UETA) or the
> Electronic Signatures in Global and National Commerce Act ("E-Sign")
> unless a specific statement to the contrary is included in this message.
>
> While this communication may be used to promote or market a transaction
> or an idea that is discussed in the publication, it is intended to provide
> general information about the subject matter covered and is provided with
> the understanding that The Principal is not rendering legal, accounting,
> or tax advice. It is not a marketed opinion and may not be used to avoid
> penalties under the Internal Revenue Code. You should consult with
> appropriate counsel or other advisors on all matters pertaining to legal,
> tax, or accounting obligations and requirements.
>
Received on 2011-03-03 10:23:28 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.