<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Unfortunately, I am still having problems with this. Here is what my error_log says:<div class=""><br class=""></div><div class="">[Mon Feb 02 17:01:51 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK<br class="">[Mon Feb 02 17:01:51 2015] [info] LDAP: SSL support unavailable: LDAP: SSL/TLS ldapssl_client_init() function not supported by this Netscape/Mozilla/Solaris SDK. Certificate authority file not set</div><div class=""><br class=""></div><div class="">What exactly is this telling me - that SSL support is unavailable even though the previous line show that the APR is built with openLDAP SDK? Or is it not supported because there is a problem with my trusted certificate file?<br class=""><br class="">I’ve tested my trusted certificate using openssl:</div><div class=""># /opt/csw/bin/openssl verify ssl/crt/ldapservr.crt<br class="">ssl/crt/retronight.crt: C = US, postalCode = 53706, ST = WI, L = Madison, street = 1210 West Dayton Street, O = University of Wisconsin-Madison, OU = OCIS, CN = <a href="http://retronight.primate.wisc.edu" class="">retronight.primate.wisc.edu</a><br class="">error 20 at 0 depth lookup:unable to get local issuer certificate<br class=""><br class=""></div><div class="">Is this the cause of the “Certificate authority file not set”?</div><div class="">When I query the openldap server I get “self signed certificate in the certificate chain” is this the problem, see below.? Is there a way to append the chains together into a LDAPTrustedGlobalcert file that will work? I’ve tried verifying the three certificates with openssl but can only get “Ok” if I put a “untrusted” after the first file, i.e. /opt/csw/bin/openssl verify -CAfile ssl/crt/incommonroot.crt -untrusted ssl/crt/intermediate.crt ssl/crt/ldapserver.crt.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""># /opt/csw/bin/openssl s_client -connect <a href="http://retronight.primate.wisc.edu" class="">retronight.primate.wisc.edu</a>:636 -showcerts<br class="">CONNECTED(00000004)<br class="">depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root<br class="">verify error:num=19:self signed certificate in certificate chain<br class="">verify return:0<br class="">---<br class="">Certificate chain<br class=""> 0 s:/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=<a href="http://retronight.primate.wisc.edu" class="">retronight.primate.wisc.edu</a><br class=""> i:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA<br class="">-----BEGIN CERTIFICATE-----<br class="">MIIFUzCCBDugAwIBAgIQY++XbIx0xIZZ5TcOG+AZXzANBgkqhkiG9w0BAQUFADBR<br class="">MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNv<br class="">bW1vbjEbMBkGA1UEAxMSSW5Db21tb24gU2VydmVyIENBMB4XDTEyMDMwMjAwMDAw<br class="">MFoXDTE1MDMwMjIzNTk1OVowgb0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwU1Mzcw<br class="">NjELMAkGA1UECBMCV0kxEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAkTFzEyMTAg<br class="">V2VzdCBEYXl0b24gU3RyZWV0MSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv<br class="">bnNpbi1NYWRpc29uMQ0wCwYDVQQLEwRPQ0lTMSQwIgYDVQQDExtyZXRyb25pZ2h0<br class="">LnByaW1hdGUud2lzYy5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB<br class="">AQDsJ5xSSAUzPJdlfPzGsmDmEOWy1AGtLL64hZ8e+VRCMaBNvceS4LpIQYPo3liW<br class="">WJPQEnkgGBMiRCvBjdFKq+eibgzBGKMOsB1kKeDluZmDiwVN6P2mi17JTNdMfU3u<br class="">Wc3XKDOfyVDwYUJ3q08dNIEYfbFF/P+Dg4B7DO/H+oxehB4i9ekT/5ogxItnI9qJ<br class="">2zykA1oi33m6uACP3kdzfTD5jHMbckO7Y6VAYlVcRSaSh5kTFFaUdf0vAXb8HekJ<br class="">5dZ3CX22A+R7prEPvjo8WfD+KHgfSKReQ3YyzYF55W8pIdhfjD9f7EK4EpJtfkZa<br class="">N3XcRlH2cGa0Wmcizd65HdbvAgMBAAGjggG4MIIBtDAfBgNVHSMEGDAWgBRIT1r6<br class="">L0qaXuBQ82t7VaXe9b40XTAdBgNVHQ4EFgQUdFTMywqiwNZIPtyl8LCK9N52pSAw<br class="">DgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUH<br class="">AwEGCCsGAQUFBwMCMF0GA1UdIARWMFQwUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYB<br class="">BQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkv<br class="">Y3BzX3NzbC5wZGYwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2NybC5pbmNvbW1v<br class="">bi5vcmcvSW5Db21tb25TZXJ2ZXJDQS5jcmwwbwYIKwYBBQUHAQEEYzBhMDkGCCsG<br class="">AQUFBzAChi1odHRwOi8vY2VydC5pbmNvbW1vbi5vcmcvSW5Db21tb25TZXJ2ZXJD<br class="">QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmluY29tbW9uLm9yZzAmBgNV<br class="">HREEHzAdghtyZXRyb25pZ2h0LnByaW1hdGUud2lzYy5lZHUwDQYJKoZIhvcNAQEF<br class="">BQADggEBACsoJOY0HT1Bebm44nKqXx8OnQPD3cF5IOlhkFDQMUBmxnmkcfgf1j/5<br class="">gs5X1Ypqw/u+3RVNu+0vbor0huSx4MkBZ3uGf1bZPA8bO7u5KbodwDvgprxi+Z7S<br class="">Y3Xsgvj6BbT/g6wR0zU72D3Dg6JRdgpgvgU3lZv05b2z0e1b3UQv5fPLnLDFYcLh<br class="">/Wtm/QD7ojySboxPeD6zfgV4EkyQjqHGAMA1bay2BedXFKNn6AKUwgNS1UCbb1qp<br class="">8h1XppOriYbI/T7WMlWr3iOLjsx4LNMBdxh6gVeeegFZ9fuRMVci9qDXmdNAVnnz<br class="">O8lwWMhXixea0YABDYhjLP4dfAOME2A=<br class="">-----END CERTIFICATE-----<br class=""> 1 s:/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA<br class=""> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br class="">-----BEGIN CERTIFICATE-----<br class="">MIIEwzCCA6ugAwIBAgIQf3HB06ImsNKxE/PmgWdkPjANBgkqhkiG9w0BAQUFADBv<br class="">MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk<br class="">ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF<br class="">eHRlcm5hbCBDQSBSb290MB4XDTEwMTIwNzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow<br class="">UTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5D<br class="">b21tb24xGzAZBgNVBAMTEkluQ29tbW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcN<br class="">AQEBBQADggEPADCCAQoCggEBAJd8x8j+s+kgaqOkT46ONFYGs3psqhCbSGErNpBp<br class="">4zQKR6e7e96qavvrgpWPyh1/r3WmqEzaIGdhGg2GwcrBh6+sTuTeYhsvnbGYr8YB<br class="">+xdw26wUWexvPzN/ppgL5OI4r/V/hW0OdASd9ieGx5uP53EqCPQDAkBjJH1AV49U<br class="">4FR+thNIYfHezg69tvpNmLLZDY15puCqzQyRmqXfq3O7yhR4XEcpocrFup/H2mD3<br class="">/+d/8tnaoS0PSRan0wCSz4pH2U341ZVm03T5gGMAT0yEFh+z9SQfoU7e6JXWsgsJ<br class="">iyxrx1wvjGPJmctSsWJ7cwFif2Ns2Gig7mqojR8p89AYrK0CAwEAAaOCAXcwggFz<br class="">MB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBRIT1r6<br class="">L0qaXuBQ82t7VaXe9b40XTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB<br class="">/wIBADARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov<br class="">L2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QuY3JsMIGz<br class="">BggrBgEFBQcBAQSBpjCBozA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1<br class="">c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJvb3QucDdjMDkGCCsGAQUFBzAChi1o<br class="">dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RVVE5TR0NDQS5jcnQwJQYI<br class="">KwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEF<br class="">BQADggEBAJNmIYB0RYVLwqvOMrAp/t3f1iRbvwNqb1A+DhuzDYijW+7EpBI7Vu8G<br class="">f89/IZVWO0Ex/uGqk9KV85UNPEerylwmrT7x+Yw0bhG+9GfjAkn5pnx7ZCXdF0by<br class="">UOPjCiE6SSTNxoRlaGdosEUtR5nNnKuGKRFy3NacNkN089SXnlag/l9AWNLV1358<br class="">xY4asgRckmYOha0uBs7Io9jrFCeR3s8XMIFTtmYSrTfk9e+WXCAONumsYn0ZgYr1<br class="">kGGmSavOPN/mymTugmU5RZUWukEGAJi6DFZh5MbGhgHPZqkiKQLWPc/EKo2Z3vsJ<br class="">FJ4O0dXG14HdrSSrrAcF4h1ow3BmX9M=<br class="">-----END CERTIFICATE-----<br class=""> 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br class=""> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root<br class="">-----BEGIN CERTIFICATE-----<br class="">MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU<br class="">MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs<br class="">IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290<br class="">MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux<br class="">FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h<br class="">bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v<br class="">dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt<br class="">H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9<br class="">uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX<br class="">mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX<br class="">a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN<br class="">E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0<br class="">WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD<br class="">VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0<br class="">Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU<br class="">cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx<br class="">IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN<br class="">AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH<br class="">YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5<br class="">6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC<br class="">Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX<br class="">c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a<br class="">mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=<br class="">-----END CERTIFICATE-----<br class="">---<br class="">Server certificate<br class="">subject=/C=US/postalCode=53706/ST=WI/L=Madison/street=1210 West Dayton Street/O=University of Wisconsin-Madison/OU=OCIS/CN=<a href="http://retronight.primate.wisc.edu" class="">retronight.primate.wisc.edu</a><br class="">issuer=/C=US/O=Internet2/OU=InCommon/CN=InCommon Server CA<br class="">---<br class="">No client certificate CA names sent</div><div class="">…<br class="">DONE</div><div class=""><br class=""></div><div class=""><br class=""><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Jan 31, 2015, at 7:51 AM, Tom Lynch <<a href="mailto:tlynch@primate.wisc.edu" class="">tlynch@primate.wisc.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=windows-1252" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dago,<div class=""><br class=""></div><div class="">Thanks for the response. The paths were correct but there was a misconfiguration in my httpd-ssl.conf file that caused the problem.</div><div class=""><br class=""></div><div class="">Tom<br class=""><div class=""><div class="">On Jan 30, 2015, at 11:01 AM, Dagobert Michelsen <<a href="mailto:dam@opencsw.org" class="">dam@opencsw.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite" class=""><div style="font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Hi Tom,<br class=""><br class=""><blockquote type="cite" class="">Am 30.01.2015 um 17:52 schrieb Tom Lynch <<a href="mailto:tlynch@primate.wisc.edu" class="">tlynch@primate.wisc.edu</a>>:<br class=""><br class="">After upgrading Solaris and opencsw, Apache2 no longer is able to authenticate against my openldap server. I get:<br class=""><br class="">[Fri Jan 30 09:19:34 2015] [info] [client 192.168.0.21] [5973] auth_ldap authenticate: user authentication failed; URI /staff [LDAP: SSL/TLS is not supported by this version of the Netscape/Mozilla/Solaris SDK][Can't contact LDAP server]<br class=""><br class="">I configured the site several years ago so am a little foggy on what I originally did to get it to work. Not sure where to go next.<br class=""><br class="">I’m using the csw apache2 build, shouldn’t it be using the correct SDK, apache apr is installed, or is there something I’m missing?<br class=""></blockquote><br class="">I guess you have to revise your httpd.conf, the LDAP authentication and especially OpenSSL has changed<br class="">considerably in the last years. Look for mod_ldap in httpd.conf and see if all pathes still match.<br class=""><br class=""><br class="">Best regards<br class=""><br class=""> — Dago<br class=""><br class="">--<span class="Apple-converted-space"> </span><br class="">"You don't become great by trying to be great, you become great by wanting to do something,<br class="">and then doing it so hard that you become great in the process." - xkcd #896</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></body></html>