mod_ldap currently uses SSL to connect to an LDAP server using the ldaps:// connection scheme. It'd be nice if it also supported TLS with the ldap:// scheme. I suspect that a call to start_tls just has to be added; perhaps there could be an LDAPStartTLS httpd.conf directive to enable this? For background, the difference between TLS on ldap:// and SSL on ldaps:// is explained here: http://www.openldap.org/lists/openldap-software/200406/msg00454.html Thanks!
Created attachment 12886 [details] add start tls to apache 2.0.51
I have gone ahead and attached a patch that is used on Apache 2.0.51 at my place of work. It adds start tls to apache 2.0.51 (the patch won't apply to 2.1.x). I can tell you that this patch works for us. Oh, it currently only works if you use OpenLDAP. It may be possible to remove the #if APR_HAS_OPENLDAP_SDK from just before the ldap_start_tls_s() and have it work with other SDKs. I really don't know and I have no means to test with other SDKs. This patch adds three new directives: LDAPStartTLS on|off, LDAPCertificateKey <path>, LDAPCertficate <path>. The last two directives are supposed to be useful if your LDAP server is setup to demand verification of clients. Somehow Apache seems to be able to auth with my LDAP server even if I don't set these directives. If anyone knows the reason why this is so please let me know. I hope this patch can be useful. It would be great if this patch or any patch that adds start tls could be included in the apache releases. Thanks.
The SSL code in httpd v2.1 and apr v1.1 has been overhauled to support SSL, TLS and client certificates (depending on whether the underlying toolkit can do so). The configuration options have been changed to accomodate this, and are documented in httpd v2.1. Can you test whether httpd v2.1 works correctly and reopen this bug report if not?