CentOs 7 上采用 LDAP 身份验证的 Apache 2.4 出现内部服务器错误 500

tag-icon tag-icon linux apache-2.4 ldap
CentOs 7 上采用 LDAP 身份验证的 Apache 2.4 出现内部服务器错误 500

我有一台 centos 7 服务器,安装了 apache 2.4.6,启用了 mod_ldap 和 mod_authnz_ldap 模块。输入用户名和密码后,出现内部服务器 500 错误,error.log 文件中未显示任何错误日志。以下是配置文件

    <VirtualHost *:443>
    ServerName mypage.local
    ServerAlias www.mypage.local
    DocumentRoot /var/www/html/mycompany
    SSLEngine on
    SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/server.key
    ErrorLog /var/log/httpd/error.log
    </VirtualHost>

    <IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteCond %{HTTPS} !on
     RewriteRule .* https://%{HTTP_HOST}/%{REQUEST_URI} [R=301,L,QSA]
     </IfModule>
     <Location />

     SSLRequireSSL
     #LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/server.crt
     #LDAPTrustedMode TLS
     AuthType Basic
     AuthName "Akhil"
     AuthBasicProvider ldap
     #LDAPVerifyServerCert  off
     AuthLDAPBindDN "cn=read-only,dc=example,dc=com"
     AuthLDAPBindPassword "password"
     AuthLDAPURL "ldap://xxxxxxx.com:389/ou=xxxxx,dc=example,dc=com?sAMAccountName?sub?(ObjectClass=*)"
     #AuthUserFile /var/www/html/mycompany/htpasswd
     Require valid-user
     </Location>

身份验证与 htpasswd 完美配合,使用 AuthBasicProvider 作为 ldap 时出现内部服务器错误。我还附上了错误日志。对 https 使用自签名证书....

[Sat Jan 07 16:08:23.216525 2017] [ssl:warn] [pid 3815] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:08:23.274161 2017] [ssl:warn] [pid 3815] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:27:15.571289 2017] [ssl:warn] [pid 3982] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:27:15.627542 2017] [ssl:warn] [pid 3982] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:28:40.799204 2017] [ssl:warn] [pid 4017] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name [Sat Jan 07 16:28:40.854610 2017] [ssl:warn] [pid 4017] AH01909: RSA certificate configured for mypage.local:443 does NOT include an ID which matches the server name

答案1

您可以尝试以下三种改变吗?

  1. SSLRequireSSL已删除
  2. valid-user变成ldap-user
  3. START_TLS 强化(参见AuthLDAPURL

, 要求

# the following two directives have to be OUTSIDE vhost
LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/server.crt
LDAPTrustedMode TLS
<VirtualHost *:443>
[...]
<Location />
 AuthType Basic
 AuthName "Akhil"
 AuthBasicProvider ldap
 AuthLDAPBindDN "cn=read-only,dc=example,dc=com"
 AuthLDAPBindPassword "password"
 # note TLS added at the end of this line
 AuthLDAPURL "ldap://xxxxxxx.com:389/ou=xxxxx,dc=example,dc=com?sAMAccountName?sub?(ObjectClass=*)" TLS
 #AuthUserFile /var/www/html/mycompany/htpasswd
 Require ldap-user
</Location>

答案2

您可能需要打开调试才能看到日志文件中的任何内容:

LDAP库调试 7

https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldaplibrarydebug

相关内容