Re: Failure authing against LDAPS, web server tearing down connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 5, 2011 at 7:28 PM, Eric Covener <covener@xxxxxxxxx> wrote:
>> The below packet logs show that when the Apache server attempts to
>> bind to LDAPS, it successfully establishes the TCP connection to port
>> 636 (syn, syn-ack, ack) and then immediately tears down the connection
>> (fin-ack, ack, fin-ack, ack). This cycle repeats 7 times in extremely
>> quick succession (0.01 s) with no higher-layer payload being
>> transferred; the Apache server does not even move into SSL/TLS
>> negotiation. The 7 connect => teardown actions seem to correspond to
>> the 7 log events. The final log message "Can't contact LDAP server" is
>> ironic given that the Apache server itself does not go to SSL and
>> initiates the connection teardown instead.
>
> There's a tiny module that lets you turn on LDAP_OPT_DEBUG which might
> reveal why the LDAP library is returning an error before seemingly
> even handshaking on the connection
>
> http://people.apache.org/~covener/ldap/

Beautiful. Love the module. :)

Sure enough,

ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP [redacted]:636
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying 10.30.19.20:636
ldap_connect_timeout: fd: 22 tm: 10 async: 0
ldap_ndelay_on: 22
ldap_is_sock_ready: 22
ldap_ndelay_off: 22
TLS: could not load verify locations
(file:`/etc/pki/tls/certs/foosomesuch.crt',dir:`/etc/openldap/cacerts').

A look at ldap.conf on the host reveals a configuration that's...
iffy. Reverting ldap.conf to defaults results in success.

Thanks for the recommendation!

-- 
Darren Spruell
phatbuckett@xxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux