can't figure out why apache LDAP auth fails
Solution 1
A packet trace from the httpd server/LDAP client revealed a message about the CA being unknown.
TLSv1 Alert (Level: Fatal, Description: Unknown CA)
I found and added the following option to my httpd.conf:
LDAPVerifyServerCert off
That fixed my issue under CentOS 6. The CentOS 5 httpd servers did not require any modification and had worked all along without the option.
Solution 2
I have had an issue similar to this before with AD on Windows 2003: the solution I found was to not bind using the full DN but instead use the user@domain syntax:
AuthLDAPBindDN [email protected]
Solution 3
You might want to check the clock of the servers. If the time difference is more than a couple of minutes, the authentication ticket will be invalid.
Although this is not exactly the error message, the 'the other server suddenly gets the same problem' part might indicate such a problem.
Solution 4
I have a similar problem, which I've identified by running this command:
openssl s_client -connect $ldap_host:636 -state -nbio 2>&1
. I think mod_ldap uses openssl underneath, so this should be fairly consistent for debugging.
I compared it against another SSL encrypted server I knew was working. A properly verified SSL connection will show a chain going to a root CA and return 0. A failure of SSL verification will give a number and reason. You can use the output to determine what's going wrong.
In my case, the LDAP server certs are signed by Verisign, which uses Intermediate CA certs. OpenSSL is unable to verify the cert and the connection is refused ("connection refused by server" is unhelpful).
Solution 5
Do you have access to the logs from your LDAP server? They might be helpful in troubleshooting this problem.
Related videos on Youtube
SethG
Updated on September 17, 2022Comments
-
SethG almost 2 years
Suddenly, yesterday, one of my apache servers became unable to connect to my LDAP (AD) server. I have two sites running on that server, both of which use LDAP to auth against my AD server when a user logs in to either site. It had been working fine two days ago. For reasons unknown, as of yesterday, it stopped working. The error log only says this:
auth_ldap authenticate: user foo authentication failed; URI /FrontPage [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server], referer: http://mysite.com/
I thought perhaps my self-signed SSL cert had expired, so I created a new one for mysite.com, but not for the server hostname itself, and the problem persisted. I enabled debug-level logging. It shows the full SSL transaction with the LDAP server, and it appears to complete without errors until the very end when I get the "Can't contact LDAP server" message. I can run ldapsearch from the commandline on this server, and I can login to it, which also uses LDAP, so I know that the server can connect to and query the LDAP/AD server. It is only apache that cannot connect.
Googling for an answer has turned up nothing, so I'm asking here. Can anybody provide insight to this problem?
Here's the LDAP section from the apache config:
<Directory "/web/wiki/"> Order allow,deny Allow from all AuthType Basic AuthName "Login" AuthBasicProvider ldap AuthzLDAPAuthoritative off #AuthBasicAuthoritative off AuthLDAPUrl ldaps://domain.server.ip/dc=full,dc=context,dc=server,dc=name?sAMAccountName?sub AuthLDAPBindDN cn=ldapbinduser,cn=Users,dc=full,dc=context,dc=server,dc=name AuthLDAPBindPassword password require valid-user </Directory>
-
Rahim over 14 yearsFunny enough, I had one Apache 2 server that authenticated against LDAP which was working fine for months, then just last week started exhibiting this exact same problem! I can't for the life of me figure out what it is, I've tried all sorts of things. Going to watch this question.
-
-
SethG over 14 yearsLDAP server is actually a Windows AD server. I checked in the event logs, didn't find anything useful. Not even any indication that the apache server even tried to connect.
-
Eric Dennis over 14 yearsYou should verify that the Apache server is actually sending the LDAP request to the AD server; it's possible that something is preventing the LDAP request from making it to the AD server at all. If you have enough privileges on the Windows machine, you can run Wireshark to verify that the LDAP request is actually making its way to AD properly. If it isn't, then check network and firewalls in between the two servers. Are you running iptables on the Apache server?
-
dmourati about 11 yearsThis answer jut won me a beer. A colleague ran into this issue and I happened to overhear him complaining about why his newly minted Debian server could not connect to our LDAP server. I IM'd him this link and his problem was immediately solved.
-
AnrDaemon almost 8 yearsPlus many. This answer really saved my hide.