Encountered user not being able to login on a newly configured system. All attempts to login with seemingly right credentials were failing.
The httpd error_log had records like this:
user user1: authentication failure for "/": Password Mismatch
As it turned out - all users had this problem, and the users' credentials were totally fine in the Active Directory.
Unfortunately my httpd-2.2 does not seem to have debug components for mod_ldap, it had been added in 2.4 (if to trust stackoverflow topic
So, the easiest way was to try the ldapsearch Linux command line tool. The problem popped right up showing the problem was with binding credentials. The command line looked like this:
ldapsearch -H ldap://mydc:3268 -D "CN=ldap_user,OU=LDAP Auth,dc=mydc" -s base "(ojectclass=*)"
The httpd config mapping is quite obvious:
AuthLDAPURL "ldap://mydc:3268/?sAMAccountName?sub" to -H ldap://mydc:3268
AuthLDAPBindDN "CN=ldap_user,OU=LDAP Auth,dc=mydc" to -D "CN=ldap_user,OU=LDAP Auth,dc=mydc"
AuthLDAPBindPassword pass can go to -w pass
Lessons learned:
- "Password Mismatch" error records in httpd error_log for individual users does not necessarily mean that the issue is with their passwords, that rather means the whole auth bind does not work.
- Be very careful with the AuthLDAPBindDN - it must be the exact path. Do not confuse Organizational Units (OU) with Groups, or with anything else.