[Date Prev][Date Next] [Chronological] [Thread] [Top]

debugging tls (apache2 mod_ldap)

Hi there, sorry if this is a bit offtopic but I have a head-shaped
hole in my desk, and figured you folks might have seen this before.

I'm trying to use mod_auth_ldap and openldap to authenticate
users, it's worked well in the past but I've been banging my head
on a particular server.

It's using ldaps://, the connect appears to happen but then
I get the following error from mod_ldap (this is apache2 so
auth_ldap has mod_ldap handling the binds for it, names changed to
protect the ignorant) :

[Mon Jul 05 15:29:40 2004] [info] Subsequent (No.2) HTTPS request received for child 1 (server ourwebserver.uk:443)
[Mon Jul 05 15:29:40 2004] [debug] mod_auth_ldap.c(304): [client] [4537] auth_ldap authenticate: using URL ldaps://our.ldap.server/o=whatever?uid??(ou=*theou*)
[Mon Jul 05 15:29:40 2004] [warn] [client] [4537] auth_ldap authenticate: user username authentication failed; URI / [LDAP: ldap_set_option - LDAP_OPT_X_TLS_HARD failed][Unknown error]
[Mon Jul 05 15:29:55 2004] [debug] ssl_engine_io.c(1511): OpenSSL: I/O error, 5 bytes expected to read on BIO#81e0400 [mem: 81e7a80]

The relevant line mentioned in the errorlog is:

    /* handle bind failure */
    if (result != LDAP_SUCCESS) {
        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
                      "[%d] auth_ldap authenticate: "
                      "user %s authentication failed; URI %s [%s][%s]",
                      getpid(), r->user, r->uri, ldc->reason, ldap_err2string(result));

and the OPT_X_TLS_HARD line comes from util_ldap.c:

                    if (LDAP_SUCCESS != result)
                        ldc->reason = "LDAP: ldap_set_option - LDAP_OPT_X_TLS_HARD failed";
                        ldc->ldap = NULL;

Apologies for the apache specifics, but it's really all I have to go on.

I can use ldapsearch to see entries in the server in question, but oddly
it doesn't return to a prompt, it seems to hang.

My question is really whether there's any debugging steps I can take?
Ideally I'd happily just use SSL, it looks to me like it's trying to
to TLS inside the SSL session, which just seems silly.

Do I have an option to just do SSL without TLS, or is that being
requested by the server? Is it likely to be an issue on their end?

How would regulars on this list proceed?

Thanks a lot.

Rasputin :: Jack of All Trades - Master of Nuns