Thanks for your reply. Yes, we can contact the LDAP server from other systems, over LDAPS, so it does not look like a connectivity problem. Also, our network people took a look at the traffic over the LDAPS port and could see the data going back & forth. Hence my thinking that the problem may be within the certificate chain processing within Apache.
Thanks, Peter. Waitrose Systems. Ext tel 01344 826651 Int Tel 7 42 6651 On 21 January 2014 16:18, Yehuda Katz <yeh...@ymkatz.net> wrote: > Have you confirmed you can contact the LDAP server over LDAPS from any > other system? > I use Apache Directory Studio ( http://directory.apache.org/studio/ ) for > this. > > You could also use Wireshark or a similar program to make sure the > connection is actually going through. > > Sent from a gizmo with a very small keyboard and hyperactive autocorrect. > On Jan 21, 2014 11:06 AM, "Peter Donaghy" <peter.dona...@waitrose.co.uk> > wrote: > >> Dear Apache users, >> >> I am trying to debug an error in an Apache LDAPS connection, against >> Windows Active Directory: >> >> [authnz_ldap:info] [pid 14680270:tid 515] [client 172.24.12.217:52072] >> AH01695: auth_ldap authenticate: user pdonaghy authentication failed; >> URI /favicon.ico [LDAP: ldap_simple_bind() failed][Can't contact LDAP >> server] >> >> Many entries for this error point to a problem with the certificate >> chain. But as far as I can see, the certificate chain is valid - I have >> checked it using openssl s_client. I have also disabled the Apache >> certification validation: LDAPVerifyServerCert off >> >> I have setup detailed logging in Apache: LDAPLibraryDebug 7 and >> LogLevel debug but I am still not getting the detailed cause of the >> error. For example: >> >> ** ld 3048d718 Outstanding Requests: >> * msgid 1, origid 1, status InProgress >> outstanding referrals 0, parent count 0 >> ld 3048d718 request count 1 (abandoned 0) >> ** ld 3048d718 Response Queue: >> Empty >> ld 3048d718 response count 0 >> ldap_chkResponseList ld 3048d718 msgid 1 all 0 >> ldap_chkResponseList returns ld 3048d718 NULL >> ldap_int_select >> read1msg: ld 3048d718 msgid 1 all 0 >> ldap_simple_bind >> ldap_sasl_bind >> ldap_send_initial_request >> ldap_send_server_request >> ldap_free_request (origid 1, msgid 1) >> ldap_free_connection 1 1 >> ldap_free_connection: actually freed >> ldap_create >> [Tue Jan 21 12:57:46.650655 2014] [ldap:debug] [pid 15335652:tid 772] >> util_ldap.c(370): AH01278: LDAP: Setting referrals to Off. >> ldap_err2string >> [Tue Jan 21 12:57:46.650687 2014] [authnz_ldap:info] [pid 15335652:tid >> 772] [client 172.24.13.177:64607] AH01695: auth_ldap authenticate: user >> dgfd authentication failed; URI /favicon.ico [LDAP: ldap_simple_bind() >> failed][Can't contact LDAP server] >> >> Does anyone know of a way to get further debug information about the >> certificate chain processing within Apache? >> >> The OS is Aix 7.1, and the opensource components are as follows: >> >> apr-1.4.8-1 >> apr-devel-1.4.8-1 >> apr-util-1.5.2-1 >> apr-util-db4-1.5.2-1 >> apr-util-freetds-1.5.2-1 >> apr-util-gdbm-1.5.2-1 >> apr-util-ldap-1.5.2-1 >> apr-util-odbc-1.5.2-1 >> apr-util-sqlite-1.5.2-1 >> httpd-2.4.7-1 >> mod_ssl-2.4.7-1 >> openssl-1.0.1e-2 >> openssl-devel-1.0.1e-2 >> openssl-doc-1.0.1e-2 >> openldap-2.4.23-0.3 >> openldap-clients-2.4.23-0.3 >> >> >> Thank you for any help. >> Peter Donaghy. >> >> ********************************************************************** >> This email is confidential and may contain copyright material of the John >> Lewis Partnership. >> If you are not the intended recipient, please notify us immediately and >> delete all copies of this message. >> (Please note that it is your responsibility to scan this message for >> viruses). Email to and from the >> John Lewis Partnership is automatically monitored for operational and >> lawful business reasons. >> ********************************************************************** >> >> John Lewis plc >> Registered in England 233462 >> Registered office 171 Victoria Street London SW1E 5NN >> >> Websites: http://www.johnlewis.com >> http://www.waitrose.com >> http://www.johnlewis.com/insurance >> http://www.johnlewispartnership.co.uk >> >> ********************************************************************** >> > -- ********************************************************************** This email is confidential and may contain copyright material of the John Lewis Partnership. If you are not the intended recipient, please notify us immediately and delete all copies of this message. (Please note that it is your responsibility to scan this message for viruses). Email to and from the John Lewis Partnership is automatically monitored for operational and lawful business reasons. ********************************************************************** John Lewis plc Registered in England 233462 Registered office 171 Victoria Street London SW1E 5NN Websites: http://www.johnlewis.com http://www.waitrose.com http://www.johnlewis.com/insurance http://www.johnlewispartnership.co.uk **********************************************************************