You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2009/11/02 14:41:17 UTC
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
> I think there's something related to SSL and how recent apache (it seems
> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
> httpd.conf and set explicitly "SSLEngine On" where needed (while before it
> was a bit implicitly).
This version is where SNI came in, but I have a hard time buying that
you never had "SSLEngine on" in any context.
Can you apply this patch and generate debugging info from the SDK?
http://people.apache.org/~covener/ldap_debug/
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS
to LDAP_OPT_X_TLS_HARD
Posted by Sandro Tosi <sa...@register.it>.
Hello Eric (and others),
do you have any other ideas about what I can look or test about this
issue? I'm really out of ideas and I don't know what else to do.
Thanks a lot in advance,
Sandro
Sandro Tosi wrote:
> Eric Covener wrote:
>
>> On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi <sa...@register.it> wrote:
>>
>>
>>> Apache builds fine this time, but the info doesn't seems much more verbose
>>> than before (with debug level on):
>>>
>>>
>> Did you set the directive mentioned in the HTML and check your main
>> server errorlog?
>>
>>
> Yeah, sorry I didn't mentioned that, I enabled that option in httpd.conf
> (while the vhost I'm using in another config file).
>
> In the main error.log I can see several
>
> [Mon Nov 02 16:25:41 2009] [debug] util_ldap.c(1995): LDAP merging
> Shared Cache conf: shm=0x811b0f8 rmm=0x811b128 for VHOST: localhost
>
> one for each vhost, and then this
>
> [Mon Nov 02 16:25:41 2009] [info] APR LDAP: Built with OpenLDAP LDAP SDK
> [Mon Nov 02 16:25:41 2009] [info] LDAP: SSL support available
> [Mon Nov 02 16:25:41 2009] [notice] Apache/2.2.14 (Unix) mod_ssl/2.2.14
> OpenSSL/0.9.8g configured -- resuming normal operations
> [Mon Nov 02 16:25:41 2009] [info] Server built: Nov 2 2009 15:32:03
> [Mon Nov 02 16:25:41 2009] [debug] prefork.c(1013): AcceptMutex: sysvsem
> (default: sysvsem)
>
> Nothing else LDAP related, not even when getting the 500.
>
> Sandro
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS
to LDAP_OPT_X_TLS_HARD
Posted by Sandro Tosi <sa...@register.it>.
Eric Covener wrote:
> On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi <sa...@register.it> wrote:
>
>> Apache builds fine this time, but the info doesn't seems much more verbose
>> than before (with debug level on):
>>
>
> Did you set the directive mentioned in the HTML and check your main
> server errorlog?
>
Yeah, sorry I didn't mentioned that, I enabled that option in httpd.conf
(while the vhost I'm using in another config file).
In the main error.log I can see several
[Mon Nov 02 16:25:41 2009] [debug] util_ldap.c(1995): LDAP merging
Shared Cache conf: shm=0x811b0f8 rmm=0x811b128 for VHOST: localhost
one for each vhost, and then this
[Mon Nov 02 16:25:41 2009] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Mon Nov 02 16:25:41 2009] [info] LDAP: SSL support available
[Mon Nov 02 16:25:41 2009] [notice] Apache/2.2.14 (Unix) mod_ssl/2.2.14
OpenSSL/0.9.8g configured -- resuming normal operations
[Mon Nov 02 16:25:41 2009] [info] Server built: Nov 2 2009 15:32:03
[Mon Nov 02 16:25:41 2009] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)
Nothing else LDAP related, not even when getting the 500.
Sandro
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
Posted by Eric Covener <co...@gmail.com>.
On Mon, Nov 2, 2009 at 10:14 AM, Sandro Tosi <sa...@register.it> wrote:
> Apache builds fine this time, but the info doesn't seems much more verbose
> than before (with debug level on):
Did you set the directive mentioned in the HTML and check your main
server errorlog?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS
to LDAP_OPT_X_TLS_HARD
Posted by Sandro Tosi <sa...@register.it>.
Eric Covener wrote:
> On Mon, Nov 2, 2009 at 9:20 AM, Eric Covener <co...@gmail.com> wrote:
>
>>> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
>>> 'debug_level'
>>>
>> I probably missed a file in the 2.2.x diff, will followup here when
>> patch is updated.
>>
>
>
> updated at http://people.apache.org/~covener/ldap_debug/2.2.x-ldap_debug-2.diff
>
>
Yeah, I was looking at util_ldap.h right when you sent the updated patch :)
Apache builds fine this time, but the info doesn't seems much more
verbose than before (with debug level on):
[Mon Nov 02 15:50:12 2009] [debug] mod_authnz_ldap.c(972): [14305]
auth_ldap url parse: `ldaps://<LDAP server IP
address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)', Host: <LDAP server IP
address>, Port: 636, DN: dc=<dc>,dc=<dc>, attrib: uid, scope: subtree,
filter: (objectClass=*), connection mode: using SSL
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(972): [14309]
auth_ldap url parse: `ldaps://<LDAP server IP
address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)', Host: <LDAP server IP
address>, Port: 636, DN: dc=<dc>,dc=<dc>, attrib: uid, scope: subtree,
filter: (objectClass=*), connection mode: using SSL
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [debug] mod_authnz_ldap.c(377): [client
127.0.0.1] [14309] auth_ldap authenticate: using URL ldaps://<LDAP
server IP address>/dc=<dc>,dc=<dc>?uid?sub?(objectClass=*)
[Mon Nov 02 15:50:19 2009] [warn] [client 127.0.0.1] [14309] auth_ldap
authenticate: user <my LDAP user> authentication failed; URI /index.html
[LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS to
LDAP_OPT_X_TLS_HARD][Operations error]
Should I enable something in openssl? We configured it with
"--prefix=/path/to/openssl-0.9.8g-16052008 linux-elf".
Thanks again for the support,
Sandro
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
Posted by Eric Covener <co...@gmail.com>.
On Mon, Nov 2, 2009 at 9:20 AM, Eric Covener <co...@gmail.com> wrote:
>> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
>> 'debug_level'
>
> I probably missed a file in the 2.2.x diff, will followup here when
> patch is updated.
updated at http://people.apache.org/~covener/ldap_debug/2.2.x-ldap_debug-2.diff
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set
LDAP_OPT_X_TLS to LDAP_OPT_X_TLS_HARD
Posted by Eric Covener <co...@gmail.com>.
> util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
> 'debug_level'
I probably missed a file in the 2.2.x diff, will followup here when
patch is updated.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] LDAP: ldap_set_option failed. Could not set LDAP_OPT_X_TLS
to LDAP_OPT_X_TLS_HARD
Posted by Sandro Tosi <sa...@register.it>.
Eric Covener wrote:
>> I think there's something related to SSL and how recent apache (it seems
>> from 2.2.12?) handle it: in fact, we had to move SSLCertificateFile into
>> httpd.conf and set explicitly "SSLEngine On" where needed (while before it
>> was a bit implicitly).
>>
>
> This version is where SNI came in, but I have a hard time buying that
> you never had "SSLEngine on" in any context.
>
No no, we had them, but not in every context (at least one in each
config file, but not in each vhost that needs that).
> Can you apply this patch and generate debugging info from the SDK?
>
> http://people.apache.org/~covener/ldap_debug/
>
Thanks a lot for the patch! I applied (against 2.2.14 tarball code) it
but then apache fails to build:
make[4]: Entering directory `/path/to/src/httpd-2.2.14/modules/ldap'
/path/to/src/httpd-2.2.14/srclib/apr/libtool --silent --mode=compile gcc
-g -O2 -pthread -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
-D_LARGEFILE64_SOURCE -I/path/to/src/httpd-2.2.14/srclib/pcre -I.
-I/path/to/src/httpd-2.2.14/os/unix
-I/path/to/src/httpd-2.2.14/server/mpm/prefork
-I/path/to/src/httpd-2.2.14/modules/http
-I/path/to/src/httpd-2.2.14/modules/filters
-I/path/to/src/httpd-2.2.14/modules/proxy
-I/path/to/src/httpd-2.2.14/include
-I/path/to/src/httpd-2.2.14/modules/generators
-I/path/to/src/httpd-2.2.14/modules/mappers
-I/path/to/src/httpd-2.2.14/modules/database
-I/path/to/src/httpd-2.2.14/srclib/apr/include
-I/path/to/src/httpd-2.2.14/srclib/apr-util/include
-I/path/to/src/httpd-2.2.14/server
-I/path/to/src/httpd-2.2.14/modules/proxy/../generators
-I/path/to/openssl-0.9.8g-16052008/include
-I/path/to/src/httpd-2.2.14/modules/ssl
-I/path/to/src/httpd-2.2.14/modules/dav/main -prefer-pic -c util_ldap.c
&& touch util_ldap.slo
util_ldap.c: In function 'util_ldap_merge_config':
util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:1891: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c: In function 'util_ldap_post_config':
util_ldap.c:2053: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:2054: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c:2058: error: 'util_ldap_state_t' has no member named
'debug_level'
util_ldap.c: In function 'util_ldap_set_debug_level':
util_ldap.c:2080: error: 'util_ldap_state_t' has no member named
'debug_level'
make[4]: *** [util_ldap.slo] Error 1
make[4]: Leaving directory `/path/to/src/httpd-2.2.14/modules/ldap'
make[3]: *** [shared-build-recursive] Error 1
make[3]: Leaving directory `/path/to/src/httpd-2.2.14/modules/ldap'
make[2]: *** [shared-build-recursive] Error 1
make[2]: Leaving directory `/path/to/src/httpd-2.2.14/modules'
make[1]: *** [shared-build-recursive] Error 1
make[1]: Leaving directory `/path/to/src/httpd-2.2.14'
make: *** [all-recursive] Error 1
Thanks for your help,
Sandro
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org