Re: How to debug the certificate chain processing within Apache for an LDAPS connection?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Have you confirmed you can contact the LDAP server over LDAPS from any other system?
I use Apache Directory Studio ( http://directory.apache.org/studio/ ) for this.

You could also use Wireshark or a similar program to make sure the connection is actually going through.

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jan 21, 2014 11:06 AM, "Peter Donaghy" <peter.donaghy@xxxxxxxxxxxxxx> wrote:
Dear Apache users,

I am trying to debug an error in an Apache LDAPS connection, against Windows Active Directory: 

[authnz_ldap:info] [pid 14680270:tid 515] [client 172.24.12.217:52072] AH01695: auth_ldap authenticate: user pdonaghy authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]

Many entries for this error point to a problem with the certificate chain. But as far as I can see, the certificate chain is valid - I have checked it using openssl s_client.  I have also disabled the Apache certification validation:     LDAPVerifyServerCert off

I have setup detailed logging in Apache:  LDAPLibraryDebug 7   and     LogLevel debug    but I am still not getting the detailed cause of the error.  For example: 

** ld 3048d718 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 3048d718 request count 1 (abandoned 0)
** ld 3048d718 Response Queue:
   Empty
  ld 3048d718 response count 0
ldap_chkResponseList ld 3048d718 msgid 1 all 0
ldap_chkResponseList returns ld 3048d718 NULL
ldap_int_select
read1msg: ld 3048d718 msgid 1 all 0
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
ldap_create
[Tue Jan 21 12:57:46.650655 2014] [ldap:debug] [pid 15335652:tid 772] util_ldap.c(370): AH01278: LDAP: Setting referrals to Off.
ldap_err2string
[Tue Jan 21 12:57:46.650687 2014] [authnz_ldap:info] [pid 15335652:tid 772] [client 172.24.13.177:64607] AH01695: auth_ldap authenticate: user dgfd authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]

Does anyone know of a way to get further debug information about the certificate chain processing within Apache?

The OS is Aix 7.1, and the opensource components are as follows:

apr-1.4.8-1
apr-devel-1.4.8-1
apr-util-1.5.2-1
apr-util-db4-1.5.2-1
apr-util-freetds-1.5.2-1
apr-util-gdbm-1.5.2-1
apr-util-ldap-1.5.2-1
apr-util-odbc-1.5.2-1
apr-util-sqlite-1.5.2-1
httpd-2.4.7-1
mod_ssl-2.4.7-1
openssl-1.0.1e-2
openssl-devel-1.0.1e-2
openssl-doc-1.0.1e-2
openldap-2.4.23-0.3
openldap-clients-2.4.23-0.3


Thank you for any help. 
Peter Donaghy.

**********************************************************************
This email is confidential and may contain copyright material of the John Lewis Partnership.
If you are not the intended recipient, please notify us immediately and delete all copies of this message.
(Please note that it is your responsibility to scan this message for viruses). Email to and from the
John Lewis Partnership is automatically monitored for operational and lawful business reasons.
**********************************************************************

John Lewis plc
Registered in England 233462
Registered office 171 Victoria Street London SW1E 5NN

Websites: http://www.johnlewis.com
http://www.waitrose.com
http://www.johnlewis.com/insurance
http://www.johnlewispartnership.co.uk

**********************************************************************

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux