php, edirectory, ldaps

mcguire_mr2

Hi!

I have been authenticating users via a web page that is served by Apache 1.3.28/PHP4.3.2/OpenSSL0.9.7b (built from source) and OpenLDAP2.0.27-8 (redhat rpm/up2date). My connect statement is:
-- begin code --
$host = "ldaps://ldap.server.com";
$connection = ldap_connect($host);
$binding = ldap_bind($connection, "cn=$username,ou=container,o=org", $password);
-- end code --
....where $username and $password are gathered from a form.

As mentioned, this has been working just fine.

Now, I have "duplicated" the code/configuration on a SuSE 9 box. The only way I can get it to work is by changing the $host to be "ldap" instead of "ldaps". Will not work using "ldaps". 2 biggest differences between the two boxes are (1) OS (RH works, SUSE doesn't), and (2) installed from source (mostly) on RH box, whereas I installed completely from Yast on SUSE box.

I am authenticating against Novell NetWare 6/eDirectory 8.6.2 w/ latest sp.

Here's the output of ldap_errno/ldap_error:
-- begin output --
LDAP Error: Can't contact LDAP server
LDAP Error Number: 81
-- end output --

Here's a sample of the dstrace screen on the novell server (after doing a "dstrace +ldap":
-- begin output --
Found available monitor 0x358
New SSL connection 0xcecafd80, monitor = 0x358, index = 4
Monitor 0x358 initiating handshake on connection 0xcecafd80
(0xcecafd80:0x0000:0x02) DoHandshake on connection 0xcecafd80
Monitor 0x358 continuing handshake on connection 0xcecafd80
(0xcecafd80:0x0000:0x02) DoHandshake continuation on conneciton 0xcecafd80
(0xcecafd80:0x0000:0x02) Connection 0xcecafd80 failed SSL handshake, err = 42 Check the client's certificate
Server closing connection 0xcecafd80, socket error = 42
-- end output --

I didn't intentionally do anything special on the RedHat box to get it to work...just followed the directions of each package and basically took defaults. Has anyone had this problem with Suse 9?

Thanks for the help,
mack

mcguire_mr2

Well, I seem to have fixed it. When I originally installed apache on the suse box, it had a different (fake) fqdn (suse2.domain.org, let's say). So, the original ssl certificate for apache was created for this fqdn. However, when I went live with the box, I changed it's fqdn from suse2.domain.org to something that was legit and acceptable to our DNS servers. I did not think to change the ssl cert in apache, though. However, this is still a test box, the fact that the host name didn't match the cert wasn't a big deal at the time. Nevertheless, I went out on a limb and re-created the ssl certs in apache using the new fqdn of the suse box (let's say suse1.domain.org) and now everything works.

The errors I was getting (check the client's certificate...blahblah) were very misleading. This lead me to believe that my openldap client was misconfigured or something, rather than my apache cert. I guess if your coming from an https page, then authenticating from that https page to an ldap server at ldaps://something, the actual certificate passed must be that of your https. Is this right? If so, maybe someone can re-word this post so that it makes sense and post it so everyone can see it. If not, then I'm really confused...doesn't matter, though, cause my stuff works now.