Apache LDAPS connections via mod_ldap work only when the LDAPVerifyServerCert directive is off

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Apache configured to use TLS over port 636

Issue

  • I am trying to set up an encrypted connection, so I configured Apache to use TLS and port 636. When I set the LDAPVerifyServerCert directive to 'on', the connection failed but when I set it to 'off', it started working. What needs to be done to make encrypted connections work with the LDAPVerifyServerCert directive enabled?

Resolution

  • Verify that the CA certificate that was used to sign the LDAP server certificate has been copied over to the directory path specified by Apache's LDAPTrustedGlobalCert directive and that the certificate is valid. The mod_ldap module will use the copy of this CA certificate to validate the server certificate that is presented.

Root Cause

  • Missing valid CA certificate in the path specified by the LDAPTrustedGlobalCert directive when the LDAPVerifyServerCert directive is set to 'on'

Diagnostic Steps

  • The following error message that will appear in the Apache error log when the encrypted connection fails:
    [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.