httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Donaghy <peter.dona...@waitrose.co.uk>
Subject [users@httpd] How to debug the certificate chain processing within Apache for an LDAPS connection?
Date Tue, 21 Jan 2014 16:06:22 GMT
Dear Apache users,

I am trying to debug an error in an Apache LDAPS connection, against
Windows Active Directory:

[authnz_ldap:info] [pid 14680270:tid 515] [client 172.24.12.217:52072]
AH01695: auth_ldap authenticate: user pdonaghy authentication failed; URI
/favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]

Many entries for this error point to a problem with the certificate chain.
But as far as I can see, the certificate chain is valid - I have checked it
using openssl s_client.  I have also disabled the Apache certification
validation:     LDAPVerifyServerCert off

I have setup detailed logging in Apache:  LDAPLibraryDebug 7   and
LogLevel debug    but I am still not getting the detailed cause of the
error.  For example:

** ld 3048d718 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 3048d718 request count 1 (abandoned 0)
** ld 3048d718 Response Queue:
   Empty
  ld 3048d718 response count 0
ldap_chkResponseList ld 3048d718 msgid 1 all 0
ldap_chkResponseList returns ld 3048d718 NULL
ldap_int_select
read1msg: ld 3048d718 msgid 1 all 0
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed
ldap_create
[Tue Jan 21 12:57:46.650655 2014] [ldap:debug] [pid 15335652:tid 772]
util_ldap.c(370): AH01278: LDAP: Setting referrals to Off.
ldap_err2string
[Tue Jan 21 12:57:46.650687 2014] [authnz_ldap:info] [pid 15335652:tid 772]
[client 172.24.13.177:64607] AH01695: auth_ldap authenticate: user dgfd
authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind()
failed][Can't contact LDAP server]

Does anyone know of a way to get further debug information about the
certificate chain processing within Apache?

The OS is Aix 7.1, and the opensource components are as follows:

apr-1.4.8-1
apr-devel-1.4.8-1
apr-util-1.5.2-1
apr-util-db4-1.5.2-1
apr-util-freetds-1.5.2-1
apr-util-gdbm-1.5.2-1
apr-util-ldap-1.5.2-1
apr-util-odbc-1.5.2-1
apr-util-sqlite-1.5.2-1
httpd-2.4.7-1
mod_ssl-2.4.7-1
openssl-1.0.1e-2
openssl-devel-1.0.1e-2
openssl-doc-1.0.1e-2
openldap-2.4.23-0.3
openldap-clients-2.4.23-0.3


Thank you for any help.
Peter Donaghy.

-- 


**********************************************************************
This email is confidential and may contain copyright material of the John 
Lewis Partnership. 
If you are not the intended recipient, please notify us immediately and 
delete all copies of this message. 
(Please note that it is your responsibility to scan this message for 
viruses). Email to and from the
John Lewis Partnership is automatically monitored for operational and 
lawful business reasons.
**********************************************************************

John Lewis plc
Registered in England 233462
Registered office 171 Victoria Street London SW1E 5NN

Websites: http://www.johnlewis.com 
http://www.waitrose.com 
http://www.johnlewis.com/insurance
http://www.johnlewispartnership.co.uk

**********************************************************************

Mime
View raw message