Bug 759308 - Apache AuthLDAP (ldaps) "500 Internal Server Error"
Summary: Apache AuthLDAP (ldaps) "500 Internal Server Error"
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: httpd
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Joe Orton
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-01 23:37 UTC by Steven Selk
Modified: 2014-09-17 14:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-31 17:19:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steven Selk 2011-12-01 23:37:34 UTC 
Description of problem:
Apache AuthLDAP with ldaps:// in AuthLDAPURL results in "500 Internal Server Error".

Version-Release number of selected component (if applicable):
httpd-2.2.15-9.el6_1.3.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
openldap-2.4.23-15.el6_1.3.x86_64

How reproducible:
Very

Steps to Reproduce:
Configure Apache to require a valid ldap user with ldaps:// in AuthLDAPURL.

Example Apache config:

LDAPVerifyServerCert Off
<Location "/private">
   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative off
   AuthName "AuthLDAP"
   AuthLDAPURL "ldaps://ldap-server.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
   AuthLDAPBindDN "CN=service-account,OU=Users,DC=example,DC=com"
   AuthLDAPBindPassword "password"
   require valid-user
</Location>
  
Actual results:
500 Internal Server Error
auth_ldap authenticate: user test-account authentication failed; URI /private/
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Expected results:
Successful auth and 200 ok.

Additional info:
This config works fine in RHEL5. In RHEL6, auth only succeeds when using ldap:// instead of ldaps://.
Comment 2 Steven Selk 2011-12-12 23:58:43 UTC 
Commenting TLS_CACERTDIR in /etc/openldap/ldap.conf appears to workaround the problem.
Comment 3 Joe Orton 2012-01-31 17:19:42 UTC 
Thanks for reporting the workaround.  I seem to recall that some upgrade paths could result in this type of failure, and that creating /etc/openldap/cacerts was an alternative workaround.  If you can reproduce this with a fresh 6.2 install, please let us know.
Comment 4 Colin Doherty 2014-05-12 11:05:09 UTC 
I'm seeing this in 6.4 with secure ldap connections. Have tried suggestions regarding /etc/openldap/ldap.conf which don't work. Having done that I added the LDAP logging support from Apache 2.4 to the install which is Apache 2.2.

This shows the issue appears to be a bug with TLS functionality in the module:

ldap_connect_to_host: TCP ourhost.ourdomain:636
ldap_new_socket: 122
ldap_prepare_socket: 122
ldap_connect_to_host: Trying *.*.*.*:636
ldap_pvt_connect: fd: 122 tm: 10 async: 0
ldap_ndelay_on: 122
ldap_int_poll: fd: 122 tm: 10
ldap_is_sock_ready: 122
ldap_ndelay_off: 122
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error co
de is no longer available
TLS: can't create ssl handle.
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_simple_bind_s
ldap_sasl_bind_s

Using non-secure ldap configurations work and a workaround is to use Stunnel for services that require ldaps.
Comment 5 Tyler Mace 2014-09-17 14:18:07 UTC 
I am seeing this also, in 6.5 with secure ldap connections. Also tried the workaround. Did not do the logging thing.
Note You need to log in before you can comment on or make changes to this bug.