web-dev-qa-db-ja.com

LDAPセキュアポート(ldaps)による認証でApacheが500エラーを返す

Httpd2.2.15のLinuxRHEL6があり、LDAPユーザー名とパスワードでログに記録した後、Apacheは500エラーを返します。このエラーを返すのは、ldaps(ポート636)を使用している場合のみです。これは、ldap(ポート389)が正常に機能するためです。

次の構成で:

<VirtualHost _default_:443>
    SSLEngine On
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM
    SSLCertificateFile /etc/pki/tls/certs/xxx.crt
    SSLCertificateKeyFile /etc/pki/tls/private/xxxxxxxxx.key
    ServerName xxxxxxxxxx
    ServerAlias xxxxxxxxxxxxx
    DocumentRoot /var/www/xxxxxxxx
    # Specific configuration
    <Location /private/status>
        SetHandler server-status
    </Location>
    <Location />
        AuthType Basic
        AuthName "Admin xxxxxx"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL ldaps://ldap.xxxxxxxx.com/ou=People,dc=xxxxx,dc=com?uid?one
        Require ldap-user xxxx xxxx
    </Location>
    ErrorLog logs/xxxxxxxx-ssl-error_log
    CustomLog logs/xxxxxxxxx-ssl-access_log combined
</VirtualHost>

ロードされたモジュール:

auth_basic_module ldap_module authnz_ldap_module

同じ構成がRHEL5.xとhttpd2.2.3で機能します

サーバーエラーログにこのエラーに関する情報はありません。

Httpdを停止し、すべてのログを削除してから、httpdを開始し、サイトへのアクセスを1回だけ試みました。 500 Internal Server Errorが発生した場合、Apacheはエラーログファイルに何も書き込みません。

ls -al/var/log/httpd /

total 16 drwx------. 2 Apache apache 4096 Jan 21 15:56 . drwxr-xr-x. 8 root root   4096 Jan 18 13:50 ..
-rw-r--r--. 1 root   root      0 Jan 21 15:56 access_log
-rw-r--r--. 1 root   root   3038 Jan 21 15:56 error_log
-rw-r--r--. 1 root   root    595 Jan 21 15:56 takeover-ssl-access_log
-rw-r--r--. 1 root   root      0 Jan 21 15:56 takeover-ssl-error_log

cat/var/log/httpd/*

[Fri Jan 21 15:56:13 2011] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:SystemLow
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [warn] Init: Session Cache is not configured [hint:
SSLSessionCache]
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] util_ldap.c(2058): LDAP merging Shared Cache
conf: shm=0x7fe25bad19f8 rmm=0x7fe25bad1a50 for VHOST: takeover.fluendo.lan
[Fri Jan 21 15:56:13 2011] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Fri Jan 21 15:56:13 2011] [info] LDAP: SSL support available
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server:
Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25893 for worker proxy:reverse
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25893 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25894 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25894 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25895 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25895 for (*)
[Fri Jan 21 15:56:14 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips configured -- resuming normal operations
[Fri Jan 21 15:56:14 2011] [info] Server built: Aug 14 2010 08:53:20
[Fri Jan 21 15:56:14 2011] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25896 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25896 for (*)
172.17.5.59 - - [21/Jan/2011:15:56:32 +0100] "GET / HTTP/1.1" 401 401 "-"
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET / HTTP/1.1" 500 536
"-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET /favicon.ico HTTP/1.1"
500 536 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10
(KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
apache-2.2redhatldap
1
Ignasi Blanco

LDAPTrusted * ディレクティブも1つ以上必要です。詳細はリンク先をご覧ください。これらがないと、そもそもLDAPサーバーへの接続を確立できないため、Apacheは手を挙げて、500を返します(これは、他のどのカテゴリーにも当てはまらないエラーのキャッチオールのようなものです)。 。

4
Alex