On Fri, Aug 5, 2011 at 7:28 PM, Eric Covener <covener@xxxxxxxxx> wrote: >> The below packet logs show that when the Apache server attempts to >> bind to LDAPS, it successfully establishes the TCP connection to port >> 636 (syn, syn-ack, ack) and then immediately tears down the connection >> (fin-ack, ack, fin-ack, ack). This cycle repeats 7 times in extremely >> quick succession (0.01 s) with no higher-layer payload being >> transferred; the Apache server does not even move into SSL/TLS >> negotiation. The 7 connect => teardown actions seem to correspond to >> the 7 log events. The final log message "Can't contact LDAP server" is >> ironic given that the Apache server itself does not go to SSL and >> initiates the connection teardown instead. > > There's a tiny module that lets you turn on LDAP_OPT_DEBUG which might > reveal why the LDAP library is returning an error before seemingly > even handshaking on the connection > > http://people.apache.org/~covener/ldap/ Beautiful. Love the module. :) Sure enough, ldap_create ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP [redacted]:636 ldap_new_socket: 22 ldap_prepare_socket: 22 ldap_connect_to_host: Trying 10.30.19.20:636 ldap_connect_timeout: fd: 22 tm: 10 async: 0 ldap_ndelay_on: 22 ldap_is_sock_ready: 22 ldap_ndelay_off: 22 TLS: could not load verify locations (file:`/etc/pki/tls/certs/foosomesuch.crt',dir:`/etc/openldap/cacerts'). A look at ldap.conf on the host reveals a configuration that's... iffy. Reverting ldap.conf to defaults results in success. Thanks for the recommendation! -- Darren Spruell phatbuckett@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx