We have Linux RHEL6 with httpd 2.2.15, and after loged with LDAP username and
password, apache return 500 error. Return this error only if you use ldaps
(port 636), for ldap (port 389) works fine.
With the follow configuration:
<VirtualHost _default_:443>
SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/pki/tls/certs/xxx.crt
SSLCertificateKeyFile /etc/pki/tls/private/xxxxxxxxx.key
ServerName xxxxxxxxxx
ServerAlias xxxxxxxxxxxxx
DocumentRoot /var/www/xxxxxxxx
# Specific configuration
<Location /private/status>
SetHandler server-status
</Location>
<Location />
AuthType Basic
AuthName "Admin xxxxxx"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.xxxxxxxx.com/ou=People,dc=xxxxx,dc=com?uid?one
Require ldap-user xxxx xxxx
</Location>
ErrorLog logs/xxxxxxxx-ssl-error_log
CustomLog logs/xxxxxxxxx-ssl-access_log combined
</VirtualHost>
Modules loaded:
auth_basic_module
ldap_module
authnz_ldap_module
The same configuration works with RHEL5.x and httpd 2.2.3
No information available about this error in the server error log.
We stopped httpd, we deleted all the logs and then we started httpd and tried
to access the site, just once. Apache does not write anything in any error log
file when the 500 Internal Server Error happens.
ls -al /var/log/httpd/
total 16 drwx------. 2 apache apache 4096 Jan 21 15:56 . drwxr-xr-x. 8 root root 4096 Jan 18 13:50 ..
-rw-r--r--. 1 root root 0 Jan 21 15:56 access_log
-rw-r--r--. 1 root root 3038 Jan 21 15:56 error_log
-rw-r--r--. 1 root root 595 Jan 21 15:56 takeover-ssl-access_log
-rw-r--r--. 1 root root 0 Jan 21 15:56 takeover-ssl-error_log
cat /var/log/httpd/*
[Fri Jan 21 15:56:13 2011] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:SystemLow
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [warn] Init: Session Cache is not configured [hint:
SSLSessionCache]
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server: Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] util_ldap.c(2058): LDAP merging Shared Cache
conf: shm=0x7fe25bad19f8 rmm=0x7fe25bad1a50 for VHOST: takeover.fluendo.lan
[Fri Jan 21 15:56:13 2011] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Fri Jan 21 15:56:13 2011] [info] LDAP: SSL support available
[Fri Jan 21 15:56:13 2011] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Jan 21 15:56:13 2011] [info] Init: Initializing (virtual) servers for SSL
[Fri Jan 21 15:56:13 2011] [info] mod_ssl/2.2.15 compiled against Server:
Apache/2.2.15, Library: OpenSSL/1.0.0-fips
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25893 for worker proxy:reverse
[Fri Jan 21 15:56:13 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25893 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25894 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25894 for (*)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25895 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25895 for (*)
[Fri Jan 21 15:56:14 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips configured -- resuming normal operations
[Fri Jan 21 15:56:14 2011] [info] Server built: Aug 14 2010 08:53:20
[Fri Jan 21 15:56:14 2011] [debug] prefork.c(1013): AcceptMutex: sysvsem
(default: sysvsem)
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1818): proxy: grabbed
scoreboard slot 0 in child 25896 for worker proxy:reverse
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1837): proxy: worker
proxy:reverse already initialized
[Fri Jan 21 15:56:14 2011] [debug] proxy_util.c(1934): proxy: initialized
single connection worker 0 in child 25896 for (*)
172.17.5.59 - - [21/Jan/2011:15:56:32 +0100] "GET / HTTP/1.1" 401 401 "-"
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET / HTTP/1.1" 500 536
"-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like
Gecko) Chrome/8.0.552.224 Safari/534.10"
172.17.5.59 - sgafsgaf [21/Jan/2011:15:56:42 +0100] "GET /favicon.ico HTTP/1.1"
500 536 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10
(KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
Best Answer
You need also one or more of the LDAPTrusted* directives; see the linked page for the details. Without those, it's not going to be able to establish the connection to the LDAP server in the first place, so Apache throws up its hands and returns 500 (which is sort of a catchall for errors that don't fit into any other category).