apache got internal error when access ldap module

Question

I'm installed httpd 2.4, and the /etc/httpd/conf.d/ssl.conf like

WSGIScriptAlias /wsgi_app /trac/cgi-bin/wsgi_app.py
<Directory /trac/cgi-bin>                          
  Require all granted                                  
</Directory>                                           
WSGIScriptAlias /ldap_app /trac/cgi-bin/wsgi_app.py
<Location /ldap_app>
...
</Location>

On one physical machine, it works to access http:///wsgi_app and http:///ldap_app. I want to clone such environment in my small virtual machine(including config files and packages), but it got a error when I try to access the ldap_app URL. I've increase the VM's RAM from 512M to 1024M, the problem still occurs. I turn on 'debug' log level for httpd, it can not help. Is there any hint to solve/trace this error? (I've checked /var/log/httpd/*.log nothing related to this problem).

The only differences which I found may helpful is the last number of the log. On physical machine's /var/log/httpd/ssl_request_log

[14/Jul/2014:17:26:38 +0800] 192.168.2.160 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /ldap_app HTTP/1.1" 2088

On VM machine's /var/log/httpd/ssl_request_log

[14/Jul/2014:17:37:55 +0800] 192.168.2.160 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /ldap_app HTTP/1.1" 527

The /etc/httpd/conf.d/ssl.conf is

<Location /ldap-status>
  SetHandler ldap-status
  AuthType Basic
  AuthName "LDAP Protected"
  AuthBasicProvider ldap
  AuthLDAPBindDN "CN=foo,CN=Users,DC=bar,DC=com,DC=tw"
  AuthLDAPBindPassword "pass"
  AuthLDAPURL "ldap://192.168.1.1:389/CN=Users,DC=taifex,DC=com,DC=tw?sAMAccountName?sub?(objectClass=*)"
  # Require valid-user
</Location>

If I enable Require valid-user, it will occurs following error messages: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Answer 1

I encountered this issue on my RHEL 7 and CentOS 7 servers today.

It is an issue with SELinux, as correctly identified, which can be found when checking the audit log (inspiration from this post - https://serverfault.com/questions/343850/apache-httpd-with-ldap-error-in-centos), irritatingly not in any Apache log!

grep -m 1 httpd /var/log/audit/audit.log | audit2why 

returns

type=AVC msg=audit(1447030307.379:374): avc:  denied  { name_connect } for  pid=1132 comm="httpd" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1447030307.379:374): arch=c000003e syscall=42 success=no exit=-13 a0=18 a1=7f0e86f6aa30 a2=10 a3=0 items=0 ppid=1029 pid=1132 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Switching SELinux off however, is not the answer.

SELinux has a number of configuration options that are applied to the httpd process, a full list can be found by running:

getsebool -a | grep httpd

One such configuration option is httpd_can_connect_ldap which defaults to off. Running the following as root

setsebool -P httpd_can_connect_ldap on

permits the httpd process to access LDAP servers on the standard ports.

Answer 2

Disable SELinux will let it works. (A bad method, but it works. In my question, the workable machine turn on SELinux)

Edit /etc/selinux/config and reboot

SELINUX=didsabled