[phpwiki]
weblogin.ac.uab.edu is now using ldaps to access the LDAP service for authentication. Serveral problems existed which had prevented this from working. The default libldap2 binary on debian woody 2.4 is not built with tls enabled. This was the main problem. The fix was to rebuild the openssl source package on the debian build box:
apt-get source libldap2
cd openldap-2.0.23
dpkg-buildpackage -uc -b
and then install resluting libldap2.deb file on weblogin
dpkg -i libldap2-2.0.23.deb
The next step is to tell libldap where to find the trust definition for the UAB ldap SSL interface. This requires the Equifax root. Put that in /usr/lib/ssl/cert/ca-bundle.crt. The location is defined in /etc/ldap/ldap.conf with the values TLS_CACERT (for the bundle file) and TLS_CACERT_DIR (for the hash based files). While I prefer the later only the TLS_CACERT file option seemed to work.
The pubcookie config was changed to using an ldaps: URI instead of ldap:.
