You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The mod_ldap module supports using TLS to talk to LDAP servers, both implicitly, and explicitly (via STARTTLS).
For implicit TLS connections (which have been deprecated in LDAP, but might still be needed), the URL format of the LDAPServer directive is needed, using the "ldaps" scheme, e.g.:
LDAPServer ldaps://ldap.example.com
And for explicit, STARTTLS-like TLS, the LDAPUseTLS directive is used, e.g.:
LDAPServer ldap://ldap.example.com
LDAPUseTLS on
So far, so good. However, if you mistakenly configure both, like so:
LDAPServer ldaps://ldap.example.com
LDAPUseTLS on
then mod_ldap will try to connect immediately using SSL/TLS, and try to do STARTTLS afterward. This will cause the connection to fail with the non-specific error:
Can't contact LDAP server
which implies a network issue -- and is completely misleading.
To prevent such confusion, I propose to modify mod_ldap that when the "ldaps" scheme is used
for an LDAPServer URL, any LDAPUseTLS directive is ignored (with a notice/warning logged about doing so). By using "ldaps", the admin is saying they want to use implicit TLS; trying to honor LDAPUseTLS (either on or off) is redundant at that point.
The text was updated successfully, but these errors were encountered:
… much
more graceful fashion, working as the user would expect.
Note that this also makes mod_ldap more efficient, as LDAPServer configurations
are only parse _once_, rather per-connect.
The
mod_ldap
module supports using TLS to talk to LDAP servers, both implicitly, and explicitly (via STARTTLS).For implicit TLS connections (which have been deprecated in LDAP, but might still be needed), the URL format of the
LDAPServer
directive is needed, using the "ldaps" scheme, e.g.:And for explicit,
STARTTLS
-like TLS, theLDAPUseTLS
directive is used, e.g.:So far, so good. However, if you mistakenly configure both, like so:
then
mod_ldap
will try to connect immediately using SSL/TLS, and try to doSTARTTLS
afterward. This will cause the connection to fail with the non-specific error:which implies a network issue -- and is completely misleading.
To prevent such confusion, I propose to modify
mod_ldap
that when the "ldaps" scheme is usedfor an
LDAPServer
URL, anyLDAPUseTLS
directive is ignored (with a notice/warning logged about doing so). By using "ldaps", the admin is saying they want to use implicit TLS; trying to honorLDAPUseTLS
(either on or off) is redundant at that point.The text was updated successfully, but these errors were encountered: