Using Auth.php which everyone should have, authenticating with Active Directory is pretty simple. I’ve tried this on an OpenLDAP directory and AD.

So now I know this certificate is blessed by my client, I can try to use it to connect. But let’s say I try to use a self-signed certificate or another cert that’s not trusted… And using a self-signed certificate, you should see something like this… If it’s a trust issue, perhaps the certificate is valid, but it just can’t find the CA or intermediate certificate… But, if everythings working correctly, your client should connect just fine. And it will look something like this, with a big fat Verify return code: 0 (ok) at the end.

Check iptables or other firewall applications running on that machine. If ldap traffic is being blocked, this could be causing it to hang. That’s what happened to me. I changed the firewall rules and forgot to add the ldaps rule and it broke. I could work around it by hitting “i” while booting and it would go into Interactive mode and allow me to say No to the MessageBus service. Everything else came up fine in runlevels 3 and 5, but it would always hang when loading the dbus app.

Enabling LDAP authentication should take you about 2 minutes, unless you type with just 2 fingers. Then maybe 3 or 4. …If you don’t allow anonymous connections to your ldap, give it a user/password combination that has enough privs to do the lookups, or just use your master account if you’re just testing or don’t really care. … Now tell it what parts of your webserver you want to protect and how. You can specify any string you’d like for the realm. Here I require an LDAP user account name and password just to get to the wiki main page, and only admin can see the server-config page… Restart lighttpd and you’re done.

I wouldn’t do it this way for a production network, but i’ve set up similar configurations for testing in vmware, in a research environment, and in a production environment.  So instead of a step by step, here’s a quick run through… It should clear up some of the missing pieces …

This doesn’t have to be complicated at all.  This was what I did on my ldap servers:
[user@ldap-primary /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-primary.pem -keyout ldap-primary.pem -days 3650
[user@ldap-slave1 /etc/openldap/cacerts ]$ sudo openssl req -newkey rsa:1024 -x509 -nodes -out ldap-slave1.pem -keyout ldap-slave1.pem -days 3650
That’s it!  No messing …