I am trying to build apache httpd 2.4.20 with LDAP over SSL support No matter what I try I always get this as the first line in the error log file at start up: [Wed Jun 15 19:26:17.222691 2016] [ldap:info] [pid 27064] AH01320: LDAP: SSL support unavailable I believe (through many hours or perseverance) I am using the correct configure cmdline args which should enable the httpd/apr/apr-util build to find: openssl (latest from installed csw package) openldap (latest from installed csw package)apr 1.5.2 (from src build with httpd) apr-util 1.5.4 (from src build with httpd)pcre 8.36 (built and installed to /opt/pcre) My configure runs without errors and with no LDAP or SSL warnings.My make runs without error.My install runs without error.Httpd boots. With LogLevel set to "trace8" here is what I get on the command line: $ sudo ./apachectl start [Thu Jun 16 09:20:17.559339 2016] [core:trace3] [pid 10195] core.c(3208): Setting LogLevel for all modules to trace8 [Thu Jun 16 09:20:17.559959 2016] [ldap:debug] [pid 10195] util_ldap.c(2613): AH01311: LDAP: Setting referral chasing Off [Thu Jun 16 09:20:17.560102 2016] [authnz_ldap:trace1] [pid 10195] mod_authnz_ldap.c(1512): auth_ldap url parse: `ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub', Host: global.corp.markco, Port: 636, DN: DC=global,DC=corp,DC=markco, attrib: sAMAccountName, scope: subtree, filter: (null), connection mode: using SSL $
When trying to contact the server through a browser I am prompted for login/passwd.If I used an NIS account (validated through local passwd/group files) it authenticates fine.If I use an Active Directory (non-NIS) account it tries LDAP and this fails with errors in the error_log like: [Thu Jun 16 09:24:47.499445 2016] [core:trace5] [pid 10199] protocol.c(614): [client 101.172.90.164:58872] Request received from client: GET / HTTP/1.1 [Thu Jun 16 09:24:47.499988 2016] [http:trace4] [pid 10199] http_request.c(393): [client 101.172.90.164:58872] Headers received from client: [Thu Jun 16 09:24:47.500045 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept: text/html, application/xhtml+xml, image/jxr, */* [Thu Jun 16 09:24:47.500137 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept-Language: en-US [Thu Jun 16 09:24:47.500189 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko [Thu Jun 16 09:24:47.500245 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Accept-Encoding: gzip, deflate, peerdist [Thu Jun 16 09:24:47.500295 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Host: newyahoo2.oak.sap.corp:8686 [Thu Jun 16 09:24:47.500344 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Connection: Keep-Alive [Thu Jun 16 09:24:47.500393 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg== [Thu Jun 16 09:24:47.500443 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDist: Version=1.1 [Thu Jun 16 09:24:47.500698 2016] [http:trace4] [pid 10199] http_request.c(396): [client 101.172.90.164:58872] X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0 [Thu Jun 16 09:24:47.501447 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Thu Jun 16 09:24:47.501508 2016] [authz_core:debug] [pid 10199] mod_authz_core.c(806): [client 101.172.90.164:58872] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Thu Jun 16 09:24:47.501579 2016] [core:trace3] [pid 10199] request.c(117): [client 101.172.90.164:58872] auth phase 'check user' gave status 401: / [Thu Jun 16 09:24:47.501848 2016] [http:trace3] [pid 10199] http_filters.c(1003): [client 101.172.90.164:58872] Response sent with status 401, headers: [Thu Jun 16 09:24:47.501902 2016] [http:trace5] [pid 10199] http_filters.c(1012): [client 101.172.90.164:58872] Date: Thu, 16 Jun 2016 16:24:47 GMT [Thu Jun 16 09:24:47.501983 2016] [http:trace5] [pid 10199] http_filters.c(1015): [client 101.172.90.164:58872] Server: Apache/2.4.20 (Unix) [Thu Jun 16 09:24:47.502052 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] WWW-Authenticate: Basic realm=\\"Use NIS or Active Directory Login\\" [Thu Jun 16 09:24:47.502109 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Content-Length: 469 [Thu Jun 16 09:24:47.502156 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Keep-Alive: timeout=2, max=50 [Thu Jun 16 09:24:47.502205 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Connection: Keep-Alive [Thu Jun 16 09:24:47.502253 2016] [http:trace4] [pid 10199] http_filters.c(833): [client 101.172.90.164:58872] Content-Type: text/html; charset=iso-8859-1 [Thu Jun 16 09:24:47.502398 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket [Thu Jun 16 09:24:47.662398 2016] [core:trace4] [pid 10196] mpm_common.c(531): mpm child 10333 (gen 0/slot 5) started [Thu Jun 16 09:24:49.502950 2016] [core:trace6] [pid 10199] core_filters.c(523): [client 101.172.90.164:58872] core_output_filter: flushing because of FLUSH bucket [Thu Jun 16 09:25:10.389375 2016] [core:trace5] [pid 10200] protocol.c(614): [client 101.172.90.164:58882] Request received from client: GET / HTTP/1.1 [Thu Jun 16 09:25:10.389917 2016] [http:trace4] [pid 10200] http_request.c(393): [client 101.172.90.164:58882] Headers received from client: [Thu Jun 16 09:25:10.389976 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept: text/html, application/xhtml+xml, image/jxr, */* [Thu Jun 16 09:25:10.390027 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept-Language: en-US [Thu Jun 16 09:25:10.390078 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko [Thu Jun 16 09:25:10.390174 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Accept-Encoding: gzip, deflate, peerdist [Thu Jun 16 09:25:10.390226 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Host: newyahoo2.oak.sap.corp:8686 [Thu Jun 16 09:25:10.390276 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Connection: Keep-Alive [Thu Jun 16 09:25:10.390324 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDist: Version=1.1 [Thu Jun 16 09:25:10.390374 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0 [Thu Jun 16 09:25:10.390427 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Cookie: shpuvid=CmEGNFcjp+G+XAmQA9AcAg== [Thu Jun 16 09:25:10.390491 2016] [http:trace4] [pid 10200] http_request.c(396): [client 101.172.90.164:58882] Authorization: Basic STgyNTcyODpTSlNoYXJrMWU= [Thu Jun 16 09:25:10.391211 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Thu Jun 16 09:25:10.391274 2016] [authz_core:debug] [pid 10200] mod_authz_core.c(806): [client 101.172.90.164:58882] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)[Thu Jun 16 09:25:10.404407 2016] [authnz_ldap:debug] [pid 10200] mod_authnz_ldap.c(515): [client 101.172.90.164:58882] AH01691: auth_ldap authenticate: using URL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub [Thu Jun 16 09:25:10.404479 2016] [authnz_ldap:trace1] [pid 10200] mod_authnz_ldap.c(536): [client 101.172.90.164:58882] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=MyADAccount)) [Thu Jun 16 09:25:10.407802 2016] [authnz_ldap:info] [pid 10200] [client 101.172.90.164:58882] AH01695: auth_ldap authenticate: user MyADAccount authentication failed; URI / [LDAP: ldap initialization failed][Unknown error] [Thu Jun 16 09:25:10.407871 2016] [core:trace3] [pid 10200] request.c(117): [client 101.172.90.164:58882] auth phase 'check user' gave status 500: / [Thu Jun 16 09:25:10.408127 2016] [http:trace3] [pid 10200] http_filters.c(1003): [client 101.172.90.164:58882] Response sent with status 500, headers: [Thu Jun 16 09:25:10.408180 2016] [http:trace5] [pid 10200] http_filters.c(1012): [client 101.172.90.164:58882] Date: Thu, 16 Jun 2016 16:25:10 GMT [Thu Jun 16 09:25:10.408227 2016] [http:trace5] [pid 10200] http_filters.c(1015): [client 101.172.90.164:58882] Server: Apache/2.4.20 (Unix) [Thu Jun 16 09:25:10.408297 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Content-Length: 664 [Thu Jun 16 09:25:10.408347 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Connection: close [Thu Jun 16 09:25:10.408408 2016] [http:trace4] [pid 10200] http_filters.c(833): [client 101.172.90.164:58882] Content-Type: text/html; charset=iso-8859-1 [Thu Jun 16 09:25:10.408524 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket [Thu Jun 16 09:25:10.408878 2016] [core:trace6] [pid 10200] core_filters.c(523): [client 101.172.90.164:58882] core_output_filter: flushing because of FLUSH bucket My configure env and cmdline was: CC=/usr/global/opt/SunStudio12.2/bin/cc export CC exec ./configure \ --with-mpm=prefork \ --with-included-apr \ --with-pcre=/opt/pcre \ --enable-authnz-ldap \ --enable-ldap \ --with-ldap=ldap \ --with-ldap-lib=/opt/csw/lib \ --with-ldap-include=/opt/csw/include \ --enable-authnz-fcgi \ --enable-cgi \ --enable-ssl \ --with-ssl=/opt/csw \ --with-ssl-lib=/opt/csw/lib \ --with-ssl-include=/opt/csw/include \ --with-crypto \ --with-openssl=/opt/csw \ --enable-modules=all \ --enable-rewrite \ --prefix=/codeadm/http_servers/httpd-${INSTALL_VER} In http.conf I am setting the path the the CA cert file: # Specify CA certificate file LDAPTrustedGlobalCert CA_BASE64 /opt/certs/MyGlobalCACert.crt The configuration for the directory I am trying to browse to is: Options Indexes FollowSymLinks MultiViews Includes AuthName "Use NIS or Active Directory Login" AllowOverride None LDAPReferrals Off AuthType Basic AuthBasicProvider file ldap AuthUserFile "/work/www/HT/HTpasswd.dat" AuthGroupFile "/work/www/HT/HTgroup.dat" AuthLDAPURL ldaps://global.corp.markco/DC=global,DC=corp,DC=markco?sAMAccountName?sub AuthLDAPBindDN CN=aduserforread,OU=Engineering,DC=global,DC=corp,DC=markco AuthLDAPBindPassword FakePassW0rd Require valid-user I have confirmed I can use the "ldapsearch" commandline tool from openldap with these values to query AD successfully. Any thoughts on what I can do to make LDAP over SSL work? ThanksMj