hanj
Veteran
Joined: 19 Aug 2003
Posts: 1500
|
 Posted: Sat Sep 30, 2006 12:16 am Post subject: Recent upgrade has broken Apache/PHP/LDAPS apps (SOLVED) |
 |
|
Hello
Today I discovered that one of my applications was not able to connect to a ActiveDirectory server via 636. This application is written in PHP and has been working for quite awhile. I have two other servers with the same code, that can connect to the same ActiveDirectory server without a problem. I discoverd that LDAPS breaks if I restart Apache. I tested it on one of the other boxes, and after Apache restart, that application was unable to communicate to the LDAP server as well. I can confirm that ldapsearch can connect fine on any of the boxes using the certs stored in /etc/ssl/certs/. I can also verify that this wasn't a problem a few weeks ago. Now, I've been updating the servers, and have noticed recent updates to openldap, openssl and gnutls. I decided to start there by rolling back those packages. After doing so, and restarting Apache, I'm still receiving the error. Increasing the debug level for PHP's ldap_connect(), here is some of the communication. I removed IPs and hostnames
| Code: | ldap_create
ldap_url_parse_ext(ldaps://ldap.xxxxxx.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.xxxxx.com:636
ldap_new_socket: 19
ldap_prepare_socket: 19
ldap_connect_to_host: Trying xxx.xxxx.xxx.xxx:636
ldap_connect_timeout: fd: 19 tm: -1 async: 0
TLS: can't connect.
ldap_err2string
[Fri Sep 29 17:54:21 2006] [error] [client 10.0.0.25] PHP Warning: ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Can't contact LDAP server in /var/www/localhost/htdocs/app/LDAPFunctions.php on line 64 |
Now, usually, when an error would indicate certs not being exchanged and the connection dies before any bind action is performed. I want to restate that I'm able to connect via ldapsearch on port 636 to the LDAP server.. so the server is definitely up and receiving connections. I have one server that is still able to connect to it via the application. I'm sure this will break if I restart Apache on that box.
To get Apache to talk 'keys' with the LDAP server, I had to create a /home/httpd/.ldaprc file (with the same information as /etc/openldap/ldap.conf).I'll provide both, in case they yield some clues. Also, all keys are in their target directory, and readable.. and they have not changed.
/home/httpd/.ldaprc | Code: |
TLS_REQCERT never
TLS_CACERT /etc/ssl/certs/TrustedRootCert-SSL Certificate.pem
TLS_CACERTDIR /etc/ssl/certs
SASL_SECPROPS maxssf=0 #for Kerberos to work |
/etc/openldap/ldap.conf | Code: |
TLS_REQCERT never
TLS_CACERT /etc/ssl/certs/TrustedRootCert-SSL Certificate.pem
TLS_CACERTDIR /etc/ssl/certs |
I also made sure I did a revdep-rebuild, since gnutls had some issues. This did not correct anything, and I didn't see any 'apache' specific dependencies. Here are my packages:
| Code: | [ebuild R ] net-nds/openldap-2.3.27 USE="berkdb crypt gdbm perl readline samba ssl tcpd -debug -ipv6 -kerberos -minimal -odbc -overlays -sasl (-selinux) -slp" 0 kB
[ebuild R ] dev-libs/openssl-0.9.8d USE="zlib -bindist -emacs -sse2 -test" 0 kB
[ebuild R ] net-www/apache-2.0.58-r2 USE="apache2 ldap mpm-prefork ssl -debug -doc -mpm-itk -mpm-leader -mpm-peruser -mpm-threadpool -mpm-worker (-selinux) -static-modules -threads (-no-suexec%*)" 0 kB
[ebuild R ] dev-lang/php-4.4.4-r4 USE="apache2 bzip2 cli crypt ctype curl exif expat ftp gd ldap mhash mysql ncurses nls pcre readline session snmp ssl truetype unicode xml zlib -adabas -apache -bcmath -berkdb -birdstep -calendar -cdb -cgi -cjk -concurrentmodphp -db2 -dbase -dbmaker -dbx -debug -discard-path -doc -empress -empress-bcs -esoob -fastbuild -fdftk -filepro -firebird -flatfile -force-cgi-redirect -frontbase -gd-external -gdbm -gmp -hardenedphp -hyperwave-api -iconv -imap -informix -inifile -interbase -iodbc -ipv6 -java-external -java-internal -kerberos -libedit -mcal -mcve -memlimit -ming -mnogosearch -msql -mssql -oci8 -oci8-instant-client -odbc -oracle7 -overload -ovrimos -pcntl -pfpro -pic -posix -postgres -recode -sapdb -sharedext -sharedmem -sockets -solid -spell -sqlite -sybase -sybase-ct -sysvipc -threads -tokenizer -wddx -xmlrpc -xpm -xsl -yaz -zip" 0 kB
[ebuild R ] net-libs/gnutls-1.4.4-r1 USE="nls zlib -doc" 0 kB |
I knew the apps were working fine at 9/15.. so here are my emerges since then.. in case this provides a clue:
| Code: | Sat Sep 16 09:13:32 2006 >>> dev-libs/atk-1.12.1
Sat Sep 16 09:14:18 2006 >>> sys-apps/baselayout-1.12.5
Sat Sep 16 09:16:02 2006 >>> media-libs/libdvdread-0.9.6
Sat Sep 16 09:34:52 2006 >>> media-gfx/imagemagick-6.2.9.5
Sun Sep 17 13:33:22 2006 >>> dev-libs/openssl-0.9.8c-r1
Sun Sep 17 13:54:34 2006 >>> sys-kernel/linux-headers-2.6.17-r1
Tue Sep 19 07:31:37 2006 >>> dev-libs/openssl-0.9.8c-r2
Tue Sep 19 07:33:02 2006 >>> app-arch/zip-2.31-r1
Tue Sep 19 07:36:26 2006 >>> app-editors/nano-1.3.12-r1
Tue Sep 19 08:07:11 2006 >>> media-video/realplayer-10.0.7
Tue Sep 19 08:19:31 2006 >>> media-plugins/live-2005.11.11
Tue Sep 19 08:42:38 2006 >>> media-video/mplayer-1.0_pre8
Tue Sep 19 08:44:58 2006 >>> media-libs/win32codecs-20050216
Wed Sep 20 11:58:59 2006 >>> www-client/mozilla-firefox-1.5.0.7
Sat Sep 23 08:46:16 2006 >>> sys-libs/libutempter-1.1.4.1
Sat Sep 23 08:47:28 2006 >>> dev-libs/nspr-4.6.3
Sat Sep 23 08:52:27 2006 >>> dev-libs/nss-3.11.3
Sat Sep 23 08:53:17 2006 >>> dev-libs/libtasn1-0.3.5
Sat Sep 23 08:56:48 2006 >>> app-arch/gzip-1.3.5-r9
Sat Sep 23 09:01:11 2006 >>> net-misc/openssh-4.3_p2-r4
Sat Sep 23 09:01:21 2006 >>> net-libs/gnutls-1.4.4-r1
Sat Sep 23 09:01:50 2006 >>> app-arch/gzip-1.3.5-r9
Sat Sep 23 09:02:18 2006 >>> sys-apps/eject-2.1.5
Sat Sep 23 09:05:26 2006 >>> net-misc/openssh-4.3_p2-r4
Thu Sep 28 07:48:32 2006 >>> app-shells/bash-3.1_p17
Thu Sep 28 07:55:33 2006 >>> dev-lang/python-2.4.3-r4
Thu Sep 28 07:56:54 2006 >>> sys-apps/sed-4.1.5
Thu Sep 28 07:57:14 2006 >>> sys-apps/help2man-1.36.4
Thu Sep 28 07:57:30 2006 >>> sys-devel/gnuconfig-20060702
Thu Sep 28 07:58:57 2006 >>> sys-devel/bison-2.2
Thu Sep 28 07:59:10 2006 >>> sys-devel/binutils-config-1.9-r2
Thu Sep 28 08:11:33 2006 >>> net-nds/openldap-2.3.27
Thu Sep 28 08:12:37 2006 >>> sys-libs/cracklib-2.8.9-r1
Thu Sep 28 08:13:21 2006 >>> dev-php/PEAR-PEAR-1.4.11
Thu Sep 28 08:13:50 2006 >>> sys-apps/baselayout-1.12.5-r1
Thu Sep 28 08:14:53 2006 >>> sys-devel/make-3.81
Thu Sep 28 08:16:26 2006 >>> net-misc/neon-0.26.1-r1
Thu Sep 28 08:17:59 2006 >>> dev-libs/libusb-0.1.12
Thu Sep 28 08:19:35 2006 >>> dev-php4/jpgraph-1.20.5
Thu Sep 28 08:24:31 2006 >>> net-misc/openssh-4.3_p2-r5
Thu Sep 28 08:28:58 2006 >>> sys-apps/busybox-1.2.1
Thu Sep 28 08:29:20 2006 >>> net-www/netscape-flash-7.0.68
Thu Sep 28 08:33:55 2006 >>> dev-lang/ruby-1.8.5
Fri Sep 29 08:50:00 2006 >>> sys-libs/ncurses-5.5-r3
Fri Sep 29 08:56:04 2006 >>> dev-libs/openssl-0.9.8d
Fri Sep 29 08:56:35 2006 >>> sys-apps/baselayout-1.12.5-r2
Fri Sep 29 09:11:48 2006 >>> net-misc/openssh-4.3_p2-r5
|
Thanks in advance! This is extremely urgent that I get this fixed as soon as possible.
hanji
_________________
Server Admin Blog - Uno-Code.com
Last edited by hanj on Sat Sep 30, 2006 12:51 am; edited 1 time in total |
|
Networking & Security
