httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren Spruell <phatbuck...@gmail.com>
Subject Re: [users@httpd] Failure authing against LDAPS, web server tearing down connections
Date Wed, 10 Aug 2011 01:57:53 GMT
On Fri, Aug 5, 2011 at 7:28 PM, Eric Covener <covener@gmail.com> wrote:
>> The below packet logs show that when the Apache server attempts to
>> bind to LDAPS, it successfully establishes the TCP connection to port
>> 636 (syn, syn-ack, ack) and then immediately tears down the connection
>> (fin-ack, ack, fin-ack, ack). This cycle repeats 7 times in extremely
>> quick succession (0.01 s) with no higher-layer payload being
>> transferred; the Apache server does not even move into SSL/TLS
>> negotiation. The 7 connect => teardown actions seem to correspond to
>> the 7 log events. The final log message "Can't contact LDAP server" is
>> ironic given that the Apache server itself does not go to SSL and
>> initiates the connection teardown instead.
>
> There's a tiny module that lets you turn on LDAP_OPT_DEBUG which might
> reveal why the LDAP library is returning an error before seemingly
> even handshaking on the connection
>
> http://people.apache.org/~covener/ldap/

Beautiful. Love the module. :)

Sure enough,

ldap_create
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP [redacted]:636
ldap_new_socket: 22
ldap_prepare_socket: 22
ldap_connect_to_host: Trying 10.30.19.20:636
ldap_connect_timeout: fd: 22 tm: 10 async: 0
ldap_ndelay_on: 22
ldap_is_sock_ready: 22
ldap_ndelay_off: 22
TLS: could not load verify locations
(file:`/etc/pki/tls/certs/foosomesuch.crt',dir:`/etc/openldap/cacerts').

A look at ldap.conf on the host reveals a configuration that's...
iffy. Reverting ldap.conf to defaults results in success.

Thanks for the recommendation!

-- 
Darren Spruell
phatbuckett@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message