Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Apache AuthLDAP with ldaps:// in AuthLDAPURL results in "500 Internal Server Error".
Version-Release number of selected component (if applicable):
httpd-2.2.15-9.el6_1.3.x86_64
mod_authz_ldap-0.26-15.el6.x86_64
openldap-2.4.23-15.el6_1.3.x86_64
How reproducible:
Very
Steps to Reproduce:
Configure Apache to require a valid ldap user with ldaps:// in AuthLDAPURL.
Example Apache config:
LDAPVerifyServerCert Off
<Location "/private">
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "AuthLDAP"
AuthLDAPURL "ldaps://ldap-server.example.com/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=service-account,OU=Users,DC=example,DC=com"
AuthLDAPBindPassword "password"
require valid-user
</Location>
Actual results:
500 Internal Server Error
auth_ldap authenticate: user test-account authentication failed; URI /private/
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
Expected results:
Successful auth and 200 ok.
Additional info:
This config works fine in RHEL5. In RHEL6, auth only succeeds when using ldap:// instead of ldaps://.
Thanks for reporting the workaround. I seem to recall that some upgrade paths could result in this type of failure, and that creating /etc/openldap/cacerts was an alternative workaround. If you can reproduce this with a fresh 6.2 install, please let us know.
I'm seeing this in 6.4 with secure ldap connections. Have tried suggestions regarding /etc/openldap/ldap.conf which don't work. Having done that I added the LDAP logging support from Apache 2.4 to the install which is Apache 2.2.
This shows the issue appears to be a bug with TLS functionality in the module:
ldap_connect_to_host: TCP ourhost.ourdomain:636
ldap_new_socket: 122
ldap_prepare_socket: 122
ldap_connect_to_host: Trying *.*.*.*:636
ldap_pvt_connect: fd: 122 tm: 10 async: 0
ldap_ndelay_on: 122
ldap_int_poll: fd: 122 tm: 10
ldap_is_sock_ready: 122
ldap_ndelay_off: 122
ldap_pvt_connect: 0
TLS: error: could not initialize moznss security context - error -5925:The one-time function was previously called and failed. Its error co
de is no longer available
TLS: can't create ssl handle.
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_simple_bind_s
ldap_sasl_bind_s
Using non-secure ldap configurations work and a workaround is to use Stunnel for services that require ldaps.