Apache return 500 error with authentication by LDAP secure port (ldaps)
You need also one or more of the LDAPTrusted* directives; see the linked page for the details. Without those, it's not going to be able to establish the connection to the LDAP server in the first place, so Apache throws up its hands and returns 500 (which is sort of a catchall for errors that don't fit into any other category).
Related videos on Youtube
Ignasi Blanco
Updated on September 17, 2022Comments
-
Ignasi Blanco almost 2 years
We have Linux RHEL6 with httpd 2.2.15, and after loged with LDAP username and password, apache return 500 error. Return this error only if you use ldaps (port 636), for ldap (port 389) works fine.
With the follow configuration:
<VirtualHost _default_:443> SSLEngine On SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/pki/tls/certs/xxx.crt SSLCertificateKeyFile /etc/pki/tls/private/xxxxxxxxx.key ServerName xxxxxxxxxx ServerAlias xxxxxxxxxxxxx DocumentRoot /var/www/xxxxxxxx # Specific configuration <Location /private/status> SetHandler server-status </Location> <Location /> AuthType Basic AuthName "Admin xxxxxx" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldaps://ldap.xxxxxxxx.com/ou=People,dc=xxxxx,dc=com?uid?one Require ldap-user xxxx xxxx </Location> ErrorLog logs/xxxxxxxx-ssl-error_log CustomLog logs/xxxxxxxxx-ssl-access_log combined </VirtualHost>
Modules loaded:
auth_basic_module ldap_module authnz_ldap_module
The same configuration works with RHEL5.x and httpd 2.2.3
No information available about this error in the server error log.
We stopped httpd, we deleted all the logs and then we started httpd and tried to access the site, just once. Apache does not write anything in any error log file when the 500 Internal Server Error happens.
ls -al /var/log/httpd/
total 16 drwx------. 2 apache apache 4096 Jan 21 15:56 . drwxr-xr-x. 8 root root 4096 Jan 18 13:50 .. -rw-r--r--. 1 root root 0 Jan 21 15:56 access_log -rw-r--r--. 1 root root 3038 Jan 21 15:56 error_log -rw-r--r--. 1 root root 595 Jan 21 15:56 takeover-ssl-access_log -rw-r--r--. 1 root root 0 Jan 21 15:56 takeover-ssl-error_log
cat /var/log/httpd/*
[Fri Jan 21 15:56:13 2011] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:SystemLow [Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy [Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Fri Jan 21 15:56:13 2011] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL [Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/1.0.0-fips [Fri Jan 21 15:56:13 2011] [debug] util_ldap.c(2058): LDAP merging Shared Cache conf: shm=0x7fe25bad19f8 rmm=0x7fe25bad1a50 for VHOST: takeover.fluendo.lan [Fri Jan 21 15:56:13 2011] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Fri Jan 21 15:56:13 2011] [info] LDAP: SSL support available [Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy [Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL [Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/1.0.0-fips [Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 25893 for worker proxy:reverse [Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 25893 for (*) [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 25894 for worker proxy:reverse [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 25894 for (*) [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 25895 for worker proxy:reverse [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 25895 for (*) [Fri Jan 21 15:56:14 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/1.0.0-fips configured -- resuming normal operations [Fri Jan 21 15:56:14 2011] [info] Server built: Aug 14 2010 08:53:20 [Fri Jan 21 15:56:14 2011] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem) [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 25896 for worker proxy:reverse [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 25896 for (*) 172.17.5.59 - - [21/Jan/2011:15:56:32 +0100] "GET / HTTP/1.1" 401 401 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10" 172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET / HTTP/1.1" 500 536 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10" 172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET /favicon.ico HTTP/1.1" 500 536 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
-
Ignasi Blanco over 13 yearsYou are right. We need disable the verification of a server certificate (LDAPVerifyServerCert Off), to work properly. Thank you
-
Sim almost 13 years@ignasi If this was the correct solution to your problem please accept this answer.