LX0-104 · Question #183
When using the auth_ldap module with Apache 1.3, the log displays several messages containing "protocol error". Which of the following steps should be followed to fix the problem?
The correct answer is A. AuthLDAPStartTLS must be set to on.. An Apache auth_ldap module reporting 'protocol error' when connecting to LDAP often indicates a failed attempt at secure communication, which can be resolved by enabling AuthLDAPStartTLS in the Apache configuration.
Question
Options
- AAuthLDAPStartTLS must be set to on.
- BLDAPv2 should be disallowed.
- CLDAPv3 should be allowed.
- DThe Apache module must be turned on in slapd.conf.
- EThe apache_auth.schema must be included in slapd.conf.
How the community answered
(62 responses)- A79% (49)
- B10% (6)
- C3% (2)
- D2% (1)
- E6% (4)
Why each option
An Apache `auth_ldap` module reporting 'protocol error' when connecting to LDAP often indicates a failed attempt at secure communication, which can be resolved by enabling `AuthLDAPStartTLS` in the Apache configuration.
Protocol error in the context of auth_ldap often indicates a failure in establishing a secure connection or a mismatch in expected security protocols. Setting AuthLDAPStartTLS to on forces the Apache module to use the StartTLS extended operation, upgrading an insecure LDAP connection to a secure TLS connection, which can resolve protocol negotiation issues if the server expects or requires TLS.
Disallowing LDAPv2 is a general best practice for security but does not directly address a 'protocol error' that might stem from TLS negotiation issues, as both v2 and v3 can experience such errors.
LDAPv3 is the modern, preferred protocol, but simply 'allowing' it does not resolve a specific 'protocol error' if the underlying issue is TLS negotiation, which is a separate mechanism.
The Apache module is configured in Apache's configuration files (e.g., httpd.conf), not in slapd.conf, which is the configuration for the OpenLDAP server itself.
The apache_auth.schema is an LDAP schema definition, not an Apache module configuration setting, and its inclusion in slapd.conf (if it were relevant) would not directly cause or fix an Apache-side 'protocol error' related to connection establishment.
Concept tested: Apache auth_ldap TLS/StartTLS configuration
Source: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html
Topics
Community Discussion
No community discussion yet for this question.