Apache 通过 LDAP 安全端口(ldaps)进行身份验证时返回 500 错误

tag-icon tag-icon apache-2.2 redhat ldap
Apache 通过 LDAP 安全端口(ldaps)进行身份验证时返回 500 错误

我们有 Linux RHEL6,httpd 版本为 2.2.15,使用 LDAP 用户名和密码登录后,apache 返回 500 错误。仅当您使用 ldaps(端口 636)时才会返回此错误,因为 ldap(端口 389)工作正常。

采用以下配置:

<VirtualHost _default_:443>
    SSLEngine On
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM
    SSLCertificateFile /etc/pki/tls/certs/xxx.crt
    SSLCertificateKeyFile /etc/pki/tls/private/xxxxxxxxx.key
    ServerName xxxxxxxxxx
    ServerAlias xxxxxxxxxxxxx
    DocumentRoot /var/www/xxxxxxxx
    # Specific configuration
    <Location /private/status>
        SetHandler server-status
    </Location>
    <Location />
        AuthType Basic
        AuthName "Admin xxxxxx"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL ldaps://ldap.xxxxxxxx.com/ou=People,dc=xxxxx,dc=com?uid?one
        Require ldap-user xxxx xxxx
    </Location>
    ErrorLog logs/xxxxxxxx-ssl-error_log
    CustomLog logs/xxxxxxxxx-ssl-access_log combined
</VirtualHost>

已加载模块:

auth_basic_module ldap_module authnz_ldap_module

相同的配置适用于 RHEL5.x 和 httpd 2.2.3

服务器错误日志中没有关于此错误的信息。

我们停止了 httpd,删除了所有日志,然后启动 httpd 并尝试访问该站点,仅一次。当发生 500 内部服务器错误时,Apache 不会在任何错误日志文件中写入任何内容。

ls -al /var/log/httpd/

total 16 drwx------. 2 apache apache 4096 Jan 21 15:56 . drwxr-xr-x. 8 root root   4096 Jan 18 13:50 ..
-rw-r--r--. 1 root   root      0 Jan 21 15:56 access_log
-rw-r--r--. 1 root   root   3038 Jan 21 15:56 error_log
-rw-r--r--. 1 root   root    595 Jan 21 15:56 takeover-ssl-access_log
-rw-r--r--. 1 root   root      0 Jan 21 15:56 takeover-ssl-error_log

猫/ var /日志/ httpd / *

[Fri Jan 21 15:56:13 2011] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:SystemLow
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [warn] Init: Session Cache is not configured [hint:
SSLSessionCache]
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] util_ldap.c(2058): LDAP merging Shared Cache
conf: shm=0x7fe25bad19f8 rmm=0x7fe25bad1a50 for VHOST: takeover.fluendo.lan
[Fri Jan 21 15:56:13 2011] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Fri Jan 21 15:56:13 2011] [info] LDAP: SSL support available
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server:
Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25893 for worker proxy:reverse
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25893 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25894 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25894 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25895 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25895 for (*)
[Fri Jan 21 15:56:14 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips configured -- resuming normal operations
[Fri Jan 21 15:56:14 2011] [info] Server built: Aug 14 2010 08:53:20
[Fri Jan 21 15:56:14 2011] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25896 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25896 for (*)
172.17.5.59 - - [21/Jan/2011:15:56:32 +0100] "GET / HTTP/1.1" 401 401 "-"
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET / HTTP/1.1" 500 536
"-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET /favicon.ico HTTP/1.1"
500 536 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10
(KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"

答案1

您还需要一个或多个LDAP 信任*指令;有关详细信息,请参阅链接页面。如果没有这些指令,它首先就无法与 LDAP 服务器建立连接,因此 Apache 只能放弃并返回 500(这是一种对不属于任何其他类别的错误的总称)。

相关内容