Bug 759308

Summary: Apache AuthLDAP (ldaps) "500 Internal Server Error"
Product: Red Hat Enterprise Linux 6 Reporter: Steven Selk <steven.selk>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: c.m.doherty, macetw, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-31 17:19:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Selk 2011-12-01 23:37:34 UTC 
Description of problem:
Apache AuthLDAP with ldaps:// in AuthLDAPURL results in "500 Internal Server Error".

Version-Release number of selected component (if applicable):
httpd-2.2.15-9.el6_1.3.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
openldap-2.4.23-15.el6_1.3.x86_64

How reproducible:
Very

Steps to Reproduce:
Configure Apache to require a valid ldap user with ldaps:// in AuthLDAPURL.

Example Apache config:

LDAPVerifyServerCert Off
<Location "/private">
   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthName "AuthLDAP"
   AuthLDAPURL "ldaps://ldap-server.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "CN=service-account,OU=Users,DC=example,DC=com"
   AuthLDAPBindPassword "password"
   require valid-user
</Location>
  
Actual results:
500 Internal Server Error
auth_ldap authenticate: user test-account authentication failed; URI /private/
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Expected results:
Successful auth and 200 ok.

Additional info:
This config works fine in RHEL5. In RHEL6, auth only succeeds when using ldap:// instead of ldaps://.
Comment 2 Steven Selk 2011-12-12 23:58:43 UTC 
Commenting TLS_CACERTDIR in /etc/openldap/ldap.conf appears to workaround the problem.
Comment 3 Joe Orton 2012-01-31 17:19:42 UTC 
Thanks for reporting the workaround.  I seem to recall that some upgrade paths could result in this type of failure, and that creating /etc/openldap/cacerts was an alternative workaround.  If you can reproduce this with a fresh 6.2 install, please let us know.
Comment 4 Colin Doherty 2014-05-12 11:05:09 UTC 
I'm seeing this in 6.4 with secure ldap connections. Have tried suggestions regarding /etc/openldap/ldap.conf which don't work. Having done that I added the LDAP logging support from Apache 2.4 to the install which is Apache 2.2.

This shows the issue appears to be a bug with TLS functionality in the module:

ldap_connect_to_host: TCP ourhost.ourdomain:636
ldap_new_socket: 122
ldap_prepare_socket: 122
ldap_connect_to_host: Trying *.*.*.*:636
ldap_pvt_connect: fd: 122 tm: 10 async: 0
ldap_ndelay_on: 122
ldap_int_poll: fd: 122 tm: 10
ldap_is_sock_ready: 122
ldap_ndelay_off: 122
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error co
de is no longer available
TLS: can't create ssl handle.
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_simple_bind_s
ldap_sasl_bind_s

Using non-secure ldap configurations work and a workaround is to use Stunnel for services that require ldaps.
Comment 5 Tyler Mace 2014-09-17 14:18:07 UTC 
I am seeing this also, in 6.5 with secure ldap connections. Also tried the workaround. Did not do the logging thing.