I'm trying to get ldaps authentication working with Active Directory,
Apache 2.2, mod_authnz_ldap and Suse OES 10. The current setup works with
unencrypted ldap.

I'm running into trouble with how to work the certificates.

In my /etc/apache2/default-server.conf I've added the following:

########
# Added for ldap certs
LDAPTrustedGlobalCert CA_DER /etc/apache2/ssl.crt/server.crt
LDAPTrustedClientCert CERT_BASE64 /etc/apache2/ldapcerts/duncanstreet.cer
LDAPVerifyServerCert ON

and set AllowOverride All.

The server.crt is the apache2 certificate; duncanstreet.cer is the
certificate (der) exported from the Windows 2003 Certificate Management
utility.

I attempted to put in the LDAPTrustedClientCert line in the .htaccess
file, but apache2 complained.

In the directory where I've restricted access I have a .htaccess file with:

AuthzLDAPAuthoritative On
AuthName "Hidden Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN
"CN=Administrator,CN=Users,DC=duncanstreet,DC=hali fax,DC=ns,DC=canplace,DC=org"
AuthLDAPBindPassword "password"
AuthLDAPURL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
require ldap-group
cn=restrict,CN=users,DC=duncanstreet,DC=halifax,DC =ns,DC=canplace,DC=org

When accessing the page, I get prompted for username and password, then a
server error. The apache error log reads like so....

[Thu Apr 26 18:52:53 2007] [debug] mod_authnz_ldap.c(373): [client
192.168.83.164] [5854] auth_ldap authenticate: using URL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
[Thu Apr 26 18:52:53 2007] [debug] mod_authnz_ldap.c(373): [client
192.168.83.164] [5854] auth_ldap authenticate: using URL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
[Thu Apr 26 18:52:53 2007] [debug] mod_authnz_ldap.c(373): [client
192.168.83.164] [5854] auth_ldap authenticate: using URL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
[Thu Apr 26 18:52:53 2007] [debug] mod_authnz_ldap.c(373): [client
192.168.83.164] [5854] auth_ldap authenticate: using URL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
[Thu Apr 26 18:52:53 2007] [debug] mod_authnz_ldap.c(373): [client
192.168.83.164] [5854] auth_ldap authenticate: using URL
ldaps://serverd01.halifax.ns.canplace.org/CN=Users,DC=duncanstreet,DC=halifax,DC=ns,DC=canpl ace,DC=org?sAMAccountName
[Thu Apr 26 18:52:53 2007] [warn] [client 192.168.83.164] [5854] auth_ldap
authenticate: user symss authentication failed; URI /favicon.ico [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

I suspect that the certificates are setup improperly- has anyone stepped
through this before? Any help would be appreciated.

tks

S