Have you confirmed you can contact the LDAP server over LDAPS from any other system? I use Apache Directory Studio ( http://directory.apache.org/studio/ ) for this.
You could also use Wireshark or a similar program to make sure the connection is actually going through. Sent from a gizmo with a very small keyboard and hyperactive autocorrect. On Jan 21, 2014 11:06 AM, "Peter Donaghy" <peter.dona...@waitrose.co.uk> wrote: > Dear Apache users, > > I am trying to debug an error in an Apache LDAPS connection, against > Windows Active Directory: > > [authnz_ldap:info] [pid 14680270:tid 515] [client 172.24.12.217:52072] > AH01695: auth_ldap authenticate: user pdonaghy authentication failed; URI > /favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP server] > > Many entries for this error point to a problem with the certificate chain. > But as far as I can see, the certificate chain is valid - I have checked it > using openssl s_client. I have also disabled the Apache certification > validation: LDAPVerifyServerCert off > > I have setup detailed logging in Apache: LDAPLibraryDebug 7 and > LogLevel debug but I am still not getting the detailed cause of the > error. For example: > > ** ld 3048d718 Outstanding Requests: > * msgid 1, origid 1, status InProgress > outstanding referrals 0, parent count 0 > ld 3048d718 request count 1 (abandoned 0) > ** ld 3048d718 Response Queue: > Empty > ld 3048d718 response count 0 > ldap_chkResponseList ld 3048d718 msgid 1 all 0 > ldap_chkResponseList returns ld 3048d718 NULL > ldap_int_select > read1msg: ld 3048d718 msgid 1 all 0 > ldap_simple_bind > ldap_sasl_bind > ldap_send_initial_request > ldap_send_server_request > ldap_free_request (origid 1, msgid 1) > ldap_free_connection 1 1 > ldap_free_connection: actually freed > ldap_create > [Tue Jan 21 12:57:46.650655 2014] [ldap:debug] [pid 15335652:tid 772] > util_ldap.c(370): AH01278: LDAP: Setting referrals to Off. > ldap_err2string > [Tue Jan 21 12:57:46.650687 2014] [authnz_ldap:info] [pid 15335652:tid > 772] [client 172.24.13.177:64607] AH01695: auth_ldap authenticate: user > dgfd authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind() > failed][Can't contact LDAP server] > > Does anyone know of a way to get further debug information about the > certificate chain processing within Apache? > > The OS is Aix 7.1, and the opensource components are as follows: > > apr-1.4.8-1 > apr-devel-1.4.8-1 > apr-util-1.5.2-1 > apr-util-db4-1.5.2-1 > apr-util-freetds-1.5.2-1 > apr-util-gdbm-1.5.2-1 > apr-util-ldap-1.5.2-1 > apr-util-odbc-1.5.2-1 > apr-util-sqlite-1.5.2-1 > httpd-2.4.7-1 > mod_ssl-2.4.7-1 > openssl-1.0.1e-2 > openssl-devel-1.0.1e-2 > openssl-doc-1.0.1e-2 > openldap-2.4.23-0.3 > openldap-clients-2.4.23-0.3 > > > Thank you for any help. > Peter Donaghy. > > ********************************************************************** > This email is confidential and may contain copyright material of the John > Lewis Partnership. > If you are not the intended recipient, please notify us immediately and > delete all copies of this message. > (Please note that it is your responsibility to scan this message for > viruses). Email to and from the > John Lewis Partnership is automatically monitored for operational and > lawful business reasons. > ********************************************************************** > > John Lewis plc > Registered in England 233462 > Registered office 171 Victoria Street London SW1E 5NN > > Websites: http://www.johnlewis.com > http://www.waitrose.com > http://www.johnlewis.com/insurance > http://www.johnlewispartnership.co.uk > > ********************************************************************** >