Have you confirmed you can contact the LDAP server over LDAPS from any
other system?
I use Apache Directory Studio ( http://directory.apache.org/studio/ ) for
this.

You could also use Wireshark or a similar program to make sure the
connection is actually going through.

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jan 21, 2014 11:06 AM, "Peter Donaghy" <peter.dona...@waitrose.co.uk>
wrote:

> Dear Apache users,
>
> I am trying to debug an error in an Apache LDAPS connection, against
> Windows Active Directory:
>
> [authnz_ldap:info] [pid 14680270:tid 515] [client 172.24.12.217:52072]
> AH01695: auth_ldap authenticate: user pdonaghy authentication failed; URI
> /favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP server]
>
> Many entries for this error point to a problem with the certificate chain.
> But as far as I can see, the certificate chain is valid - I have checked it
> using openssl s_client.  I have also disabled the Apache certification
> validation:     LDAPVerifyServerCert off
>
> I have setup detailed logging in Apache:  LDAPLibraryDebug 7   and
> LogLevel debug    but I am still not getting the detailed cause of the
> error.  For example:
>
> ** ld 3048d718 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
>   ld 3048d718 request count 1 (abandoned 0)
> ** ld 3048d718 Response Queue:
>    Empty
>   ld 3048d718 response count 0
> ldap_chkResponseList ld 3048d718 msgid 1 all 0
> ldap_chkResponseList returns ld 3048d718 NULL
> ldap_int_select
> read1msg: ld 3048d718 msgid 1 all 0
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_send_server_request
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection 1 1
> ldap_free_connection: actually freed
> ldap_create
> [Tue Jan 21 12:57:46.650655 2014] [ldap:debug] [pid 15335652:tid 772]
> util_ldap.c(370): AH01278: LDAP: Setting referrals to Off.
> ldap_err2string
> [Tue Jan 21 12:57:46.650687 2014] [authnz_ldap:info] [pid 15335652:tid
> 772] [client 172.24.13.177:64607] AH01695: auth_ldap authenticate: user
> dgfd authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind()
> failed][Can't contact LDAP server]
>
> Does anyone know of a way to get further debug information about the
> certificate chain processing within Apache?
>
> The OS is Aix 7.1, and the opensource components are as follows:
>
> apr-1.4.8-1
> apr-devel-1.4.8-1
> apr-util-1.5.2-1
> apr-util-db4-1.5.2-1
> apr-util-freetds-1.5.2-1
> apr-util-gdbm-1.5.2-1
> apr-util-ldap-1.5.2-1
> apr-util-odbc-1.5.2-1
> apr-util-sqlite-1.5.2-1
> httpd-2.4.7-1
> mod_ssl-2.4.7-1
> openssl-1.0.1e-2
> openssl-devel-1.0.1e-2
> openssl-doc-1.0.1e-2
> openldap-2.4.23-0.3
> openldap-clients-2.4.23-0.3
>
>
> Thank you for any help.
> Peter Donaghy.
>
> **********************************************************************
> This email is confidential and may contain copyright material of the John
> Lewis Partnership.
> If you are not the intended recipient, please notify us immediately and
> delete all copies of this message.
> (Please note that it is your responsibility to scan this message for
> viruses). Email to and from the
> John Lewis Partnership is automatically monitored for operational and
> lawful business reasons.
> **********************************************************************
>
> John Lewis plc
> Registered in England 233462
> Registered office 171 Victoria Street London SW1E 5NN
>
> Websites: http://www.johnlewis.com
> http://www.waitrose.com
> http://www.johnlewis.com/insurance
> http://www.johnlewispartnership.co.uk
>
> **********************************************************************
>

Reply via email to