[CentOS] apache mod_authnzldap against Active Directory

Thu Oct 25 19:21:25 UTC 2007
David Nalley <davidn at keymarkinc.com>

Hey guys I am running CentOS 5 with httpd 2.2.3 
I am trying to configure mod_authnzldap authing against Active Directory and I 
have it working about 50% of the 
time. 
About 50% of the time this works with no issue, the rest of the time it fails. 
Sometimes it fails and notes the following in the error log:

[Mon Oct 22 15:58:03 2007] [debug] mod_authnz_ldap.c(373): [client 
10.XXX.XX.XXX] [13379] auth_ldap authenticate: using URL 
ldap://10.XX.XX.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)
[Mon Oct 22 15:58:03 2007] [warn] [client 10.xxx.xx.xxx] [13379] auth_ldap 
authenticate: user special authentication failed; URI /logo.gif 
[ldap_search_ext_s() for user failed][Operations error]


Other times it printsthe following, but nothing after that (and CPU usage 
skyrockets to 100% of a single CPU) 
[Mon Oct 22 16:08:11 2007] [debug] mod_authnz_ldap.c(373): [client 
10.XX.XXX.XX] [13437] auth_ldap authenticate: using URL 
ldap://10.XX.X.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)


In capturing the packets I see that it binds successfully several times and 
then tries to authenticate. The AD box returns:
LDAPMessage searchResDone(5) operationsError (00000000: LdapErr: 
DSID-0C090627, comment: In order to perform this operation a successful bind 
must be completed on the connection., data 0, vece) [0 results]

None of the binds that occur in the capture failed though. (all the bind 
responses reported success) 

The appropriate (anonymized) lines from httpd.conf are: 

<Location /logo.gif>    # <--- change path as needed
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthType Basic
AuthzLdapAuthoritative off
AuthName "BackupPC login"
AuthLDAPBindDN ldapb at centos.org
AuthLDAPBindPassword myformerlysecretpasswordpostedtoworld
AuthLDAPURL "ldap://10.XX.XX.XXX:389/DC=centos,DC=org?sAMAccountName?sub?
(objectClass=*)" NONE
require valid-user
</Location>


I have debug turned on. On startup I get: 

[root at backuppc httpd]# service httpd start
Starting httpd: [Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(849): 
[13375] auth_ldap url parse: 
`ldap://10.XX.X.XXX:389/DC=centos,DC=org?sAMAccountName?sub?(objectClass=*)'
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(858): [13375] auth_ldap 
url parse: Host: 10.XX.XX.XXX:389
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(860): [13375] auth_ldap 
url parse: Port: 389
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(862): [13375] auth_ldap 
url parse: DN: DC=centos,DC=org
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(864): [13375] auth_ldap 
url parse: attrib: sAMAccountName
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(866): [13375] auth_ldap 
url parse: scope: subtree
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(871): [13375] auth_ldap 
url parse: filter: (objectClass=*)
[Mon Oct 22 15:53:31 2007] [debug] mod_authnz_ldap.c(951): LDAP: auth_ldap not 
using SSL connections
                                                           [  OK  ]