Welcome, Guest! Registration


Thursday, 2018-03-22
Main » 2016 » March » 23 » Debug Apache mod_ldap Password Mismatch
0:07 AM
Debug Apache mod_ldap Password Mismatch

Encountered user not being able to login on a newly configured system. All attempts to login with seemingly right credentials were failing.

The httpd error_log had records like this:

user user1: authentication failure for "/": Password Mismatch

As it turned out - all users had this problem, and the users' credentials were totally fine in the Active Directory.

Unfortunately my httpd-2.2 does not seem to have debug components for mod_ldap, it had been added in 2.4 (if to trust stackoverflow topic

So, the easiest way was to try the ldapsearch Linux command line tool. The problem popped right up showing the problem was with binding credentials. The command line looked like this:

ldapsearch -H ldap://mydc:3268 -D "CN=ldap_user,OU=LDAP Auth,dc=mydc" -s base "(ojectclass=*)"

The httpd config mapping is quite obvious:
AuthLDAPURL "ldap://mydc:3268/?sAMAccountName?sub" to -H ldap://mydc:3268
AuthLDAPBindDN "CN=ldap_user,OU=LDAP Auth,dc=mydc" to -D "CN=ldap_user,OU=LDAP Auth,dc=mydc"
AuthLDAPBindPassword pass can go to -w pass

Lessons learned:

  1. "Password Mismatch" error records in httpd error_log for individual users does not necessarily mean that the issue is with their passwords, that rather means the whole auth bind does not work.
  2. Be very careful with the AuthLDAPBindDN - it must be the exact path. Do not confuse Organizational Units (OU) with Groups, or with anything else.
Views: 677 | Added by: ep | Tags: LDAP, httpd, Linux | Rating: 0.0/0
Total comments: 0
Only registered users can add comments.
[ Registration | Login ]