You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marshall Httpd <ht...@gmail.com> on 2014/04/15 21:55:57 UTC
[users@httpd] auth_ldap fails after upgrading to 2.4.9
Hi,
Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9. But, when that
happened, some of our users can no longer authenticate via LDAP. By
"some", I mean that we have 2 domains. Users from one domain are fine, but
users in the 2nd domain can no longer authenticate.
E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
"authentication failed"
The general error goes something like:
[authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI
/svn/databaseProject [User not found][No Such Object]
Has anyone experienced such a thing before? And/or know of the fix?
Full disclosure: httpd.exe was upgraded by way of our CollabNet Subversion
Edge upgrade. I posed my question there first of course; but this really
does seem like its a httpd issue. And thus, here I am.
I captured a great deal of logging information along with configuration
settings in their forums. It's available here:
https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
Thank you,
Marshall
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Marshall Httpd <ht...@gmail.com>.
Er, um, hemming and hawin. Can't I be lazy? Pouting in corner :)
Ok, I have my coffee now; much better.
Eric, first off, many many thanks for your assistance.
One last question, possibly.
It looks like I'm going to have to install some type of testbed in order to
debug httpd.exe 2.4.9 as compared to 2.4.6.
Considering I'm on a 64-bit Windows 2008 R2 Server, SP1; I need a
simplified test setup to help debug this issue.
E.g. test-ldap-auth-through-httpd.exe [user-name] [password]
The wrinkle here is having 2 httpd.exe's going at the same time. This
machine is hosting our subversion repositories. So, as I may have
mentioned before, I had to down-grade that back to a version that works
(it's using httpd 2.4.6). To me (non-IT person), this would introduce an
element that would cloud the debugging. So, I'd probably want to do this
debugging after hours in order to shut down the subversion server while
testing with httpd.exe 2.4.9.
I'm guessing the best of both worlds would be to have some type of
test-ldap-auth-through-httpd.exe that is self contained where I don't have
to start a webserver in order to test the ldap authentication.
OK, so, after all that rambling: do you have a recommendation for a test
application/setup?
--
Marshall
On Wed, Apr 16, 2014 at 8:55 AM, Eric Covener <co...@gmail.com> wrote:
> Still striking out. Any chance you can force it to use non-ssl ldap
> and capture the traffic with wireshark to see how the queries differ?
>
> I mistook the one long log line as the lookup, but it's just the
> configured URL.
>
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Eric Covener <co...@gmail.com>.
Still striking out. Any chance you can force it to use non-ssl ldap
and capture the traffic with wireshark to see how the queries differ?
I mistook the one long log line as the lookup, but it's just the configured URL.
On Wed, Apr 16, 2014 at 8:51 AM, Marshall Httpd
<ht...@gmail.com> wrote:
> Ahh, sure thing.
>
> ===== httpd.exe 2.4.6 =====
>
> [Wed Apr 16 07:54:05.108585 2014] [ssl:info] [pid 1216:tid 972] [client
> 100.200.300.401:60878] AH01964: Connection to child 63 established (server
> xxxdev.xxx.example.edu:443)
> [Wed Apr 16 07:54:05.109585 2014] [ssl:debug] [pid 1216:tid 972]
> ssl_engine_kernel.c(1956): [client 100.200.300.401:60878] AH02043: SSL
> virtual host for servername xxxdev.xxx.example.edu found
> [Wed Apr 16 07:54:05.252599 2014] [ssl:debug] [pid 1216:tid 972]
> ssl_engine_kernel.c(1886): [client 100.200.300.401:60878] AH02041: Protocol:
> TLSv1.2, Cipher: RC4-SHA (128/128 bits)
> [Wed Apr 16 07:54:05.254599 2014] [ssl:debug] [pid 1216:tid 972]
> ssl_engine_kernel.c(215): [client 100.200.300.401:60878] AH02034: Initial
> (No.1) HTTPS request received for child 63 (server
> xxxdev.xxx.example.edu:443)
> [Wed Apr 16 07:54:05.254599 2014] [authz_core:debug] [pid 1216:tid 972]
> mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626: authorization
> result of Require valid-user : denied (no authenticated user yet)
> [Wed Apr 16 07:54:05.254599 2014] [authz_core:debug] [pid 1216:tid 972]
> mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626: authorization
> result of <RequireAny>: denied (no authenticated user yet)
> [Wed Apr 16 07:54:05.256599 2014] [ssl:debug] [pid 1216:tid 972]
> ssl_engine_kernel.c(215): [client 100.200.300.401:60878] AH02034: Subsequent
> (No.2) HTTPS request received for child 63 (server
> xxxdev.xxx.example.edu:443)
> [Wed Apr 16 07:54:05.256599 2014] [authz_core:debug] [pid 1216:tid 972]
> mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626: authorization
> result of Require valid-user : denied (no authenticated user yet)
> [Wed Apr 16 07:54:05.257599 2014] [authz_core:debug] [pid 1216:tid 972]
> mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626: authorization
> result of <RequireAny>: denied (no authenticated user yet)
> [Wed Apr 16 07:54:05.257599 2014] [authnz_ldap:debug] [pid 1216:tid 972]
> mod_authnz_ldap.c(500): [client 100.200.300.401:60878] AH01691: auth_ldap
> authenticate: using URL
> ldaps://ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))
> [Wed Apr 16 07:54:05.301604 2014] [authnz_ldap:debug] [pid 1216:tid 972]
> mod_authnz_ldap.c(592): [client 100.200.300.401:60878] AH01697: auth_ldap
> authenticate: accepting dev.frank
> [Wed Apr 16 07:54:05.301604 2014] [authz_svn:debug] [pid 1216:tid 972]
> mod_authz_svn.c(387): [client 100.200.300.401:60878] Path to authz file is
> C:/Program Files/subversionEdge/data/conf/svn_access_file
> [Wed Apr 16 07:54:05.302604 2014] [authz_svn:info] [pid 1216:tid 972]
> [client 100.200.300.401:60878] Access granted: 'dev.frank' OPTIONS
> databaseProject:/
>
>
>
> ===== httpd.exe 2.4.9 =====
>
> [Tue Apr 15 09:11:43.430420 2014] [ssl:info] [pid 4844:tid 1040] [client
> 100.200.300.401:55888] AH01964: Connection to child 52 established (server
> xxxdev.xxx.example.edu:443)
> [Tue Apr 15 09:11:43.431420 2014] [ssl:debug] [pid 4844:tid 1040]
> ssl_engine_kernel.c(1920): [client 100.200.300.401:55888] AH02043: SSL
> virtual host for servername xxxdev.xxx.example.edu found
> [Tue Apr 15 09:11:43.575435 2014] [ssl:debug] [pid 4844:tid 1040]
> ssl_engine_kernel.c(1850): [client 100.200.300.401:55888] AH02041: Protocol:
> TLSv1.2, Cipher: RC4-SHA (128/128 bits)
> [Tue Apr 15 09:11:43.577435 2014] [ssl:debug] [pid 4844:tid 1040]
> ssl_engine_kernel.c(226): [client 100.200.300.401:55888] AH02034: Initial
> (No.1) HTTPS request received for child 52 (server
> xxxdev.xxx.example.edu:443)
> [Tue Apr 15 09:11:43.577435 2014] [authz_core:debug] [pid 4844:tid 1040]
> mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626: authorization
> result of Require valid-user : denied (no authenticated user yet)
> [Tue Apr 15 09:11:43.577435 2014] [authz_core:debug] [pid 4844:tid 1040]
> mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626: authorization
> result of <RequireAny>: denied (no authenticated user yet)
> [Tue Apr 15 09:11:43.579435 2014] [ssl:debug] [pid 4844:tid 1040]
> ssl_engine_kernel.c(226): [client 100.200.300.401:55888] AH02034: Subsequent
> (No.2) HTTPS request received for child 52 (server
> xxxdev.xxx.example.edu:443)
> [Tue Apr 15 09:11:43.579435 2014] [authz_core:debug] [pid 4844:tid 1040]
> mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626: authorization
> result of Require valid-user : denied (no authenticated user yet)
> [Tue Apr 15 09:11:43.579435 2014] [authz_core:debug] [pid 4844:tid 1040]
> mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626: authorization
> result of <RequireAny>: denied (no authenticated user yet)
> [Tue Apr 15 09:11:43.579435 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
> mod_authnz_ldap.c(500): [client 100.200.300.401:55888] AH01691: auth_ldap
> authenticate: using URL
> ldaps://ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))
>
> [Tue Apr 15 09:11:43.585436 2014] [authnz_ldap:info] [pid 4844:tid 1040]
> [client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user
> dev.frank authentication failed; URI /svn/databaseProject [User not
> found][No Such Object]
>
>
> On Tue, Apr 15, 2014 at 6:22 PM, Eric Covener <co...@gmail.com> wrote:
>>
>> On Tue, Apr 15, 2014 at 5:36 PM, Marshall Httpd
>> <ht...@gmail.com> wrote:
>> > Logging differences, sure thing...
>>
>>
>> I meant between 2.4.6 and 2.4.9 for the user that fails under 2.4.9.
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Marshall Httpd <ht...@gmail.com>.
Ahh, sure thing.
===== httpd.exe 2.4.6 =====
[Wed Apr 16 07:54:05.108585 2014] [ssl:info] [pid 1216:tid 972] [client
100.200.300.401:60878] AH01964: Connection to child 63 established (server
xxxdev.xxx.example.edu:443)
[Wed Apr 16 07:54:05.109585 2014] [ssl:debug] [pid 1216:tid 972]
ssl_engine_kernel.c(1956): [client 100.200.300.401:60878] AH02043: SSL
virtual host for servername xxxdev.xxx.example.edu found
[Wed Apr 16 07:54:05.252599 2014] [ssl:debug] [pid 1216:tid 972]
ssl_engine_kernel.c(1886): [client 100.200.300.401:60878] AH02041:
Protocol: TLSv1.2, Cipher: RC4-SHA (128/128 bits)
[Wed Apr 16 07:54:05.254599 2014] [ssl:debug] [pid 1216:tid 972]
ssl_engine_kernel.c(215): [client 100.200.300.401:60878] AH02034: Initial
(No.1) HTTPS request received for child 63 (server
xxxdev.xxx.example.edu:443)
[Wed Apr 16 07:54:05.254599 2014] [authz_core:debug] [pid 1216:tid 972]
mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Wed Apr 16 07:54:05.254599 2014] [authz_core:debug] [pid 1216:tid 972]
mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 16 07:54:05.256599 2014] [ssl:debug] [pid 1216:tid 972]
ssl_engine_kernel.c(215): [client 100.200.300.401:60878] AH02034:
Subsequent (No.2) HTTPS request received for child 63 (server
xxxdev.xxx.example.edu:443)
[Wed Apr 16 07:54:05.256599 2014] [authz_core:debug] [pid 1216:tid 972]
mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Wed Apr 16 07:54:05.257599 2014] [authz_core:debug] [pid 1216:tid 972]
mod_authz_core.c(799): [client 100.200.300.401:60878] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 16 07:54:05.257599 2014] [authnz_ldap:debug] [pid 1216:tid 972]
mod_authnz_ldap.c(500): [client 100.200.300.401:60878] AH01691: auth_ldap
authenticate: using URL ldaps://
ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))
[Wed Apr 16 07:54:05.301604 2014] [authnz_ldap:debug] [pid 1216:tid 972]
mod_authnz_ldap.c(592): [client 100.200.300.401:60878] AH01697: auth_ldap
authenticate: accepting dev.frank
[Wed Apr 16 07:54:05.301604 2014] [authz_svn:debug] [pid 1216:tid 972]
mod_authz_svn.c(387): [client 100.200.300.401:60878] Path to authz file is
C:/Program Files/subversionEdge/data/conf/svn_access_file
[Wed Apr 16 07:54:05.302604 2014] [authz_svn:info] [pid 1216:tid 972]
[client 100.200.300.401:60878] Access granted: 'dev.frank' OPTIONS
databaseProject:/
===== httpd.exe 2.4.9 =====
[Tue Apr 15 09:11:43.430420 2014] [ssl:info] [pid 4844:tid 1040] [client
100.200.300.401:55888] AH01964: Connection to child 52 established (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:43.431420 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1920): [client 100.200.300.401:55888] AH02043: SSL
virtual host for servername xxxdev.xxx.example.edu found
[Tue Apr 15 09:11:43.575435 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1850): [client 100.200.300.401:55888] AH02041:
Protocol: TLSv1.2, Cipher: RC4-SHA (128/128 bits)
[Tue Apr 15 09:11:43.577435 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55888] AH02034: Initial
(No.1) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:43.577435 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:43.577435 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:43.579435 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55888] AH02034:
Subsequent (No.2) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:43.579435 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:43.579435 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55888] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:43.579435 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
mod_authnz_ldap.c(500): [client 100.200.300.401:55888] AH01691: auth_ldap
authenticate: using URL ldaps://
ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))
[Tue Apr 15 09:11:43.585436 2014] [authnz_ldap:info] [pid 4844:tid 1040]
[client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user
dev.frank authentication failed; URI /svn/databaseProject [User not
found][No Such Object]
On Tue, Apr 15, 2014 at 6:22 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Apr 15, 2014 at 5:36 PM, Marshall Httpd
> <ht...@gmail.com> wrote:
> > Logging differences, sure thing...
>
>
> I meant between 2.4.6 and 2.4.9 for the user that fails under 2.4.9.
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Eric Covener <co...@gmail.com>.
On Tue, Apr 15, 2014 at 5:36 PM, Marshall Httpd
<ht...@gmail.com> wrote:
> Logging differences, sure thing...
I meant between 2.4.6 and 2.4.9 for the user that fails under 2.4.9.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Marshall Httpd <ht...@gmail.com>.
Hey Eric,
Yeah, I _just_ ran across the "mod_ldap: When looking up sub-groups, use an
implicit objectClass=* instead of an explicit cn=* filter." for 2.4.7.
I just haven't wrapped my head around it just yet. Nor have I found the
bug fix entry for this in https://issues.apache.org
> Can you summarize how the logging differs in the two releases?
Logging differences, sure thing...
Using the steve (success) and dev.frank (failure) examples before; they
both start off with...
[Tue Apr 15 09:11:10.320110 2014] [ssl:info] [pid 4844:tid 1040] [client
100.200.300.401:55884] AH01964: Connection to child 52 established (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.321110 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1920): [client 100.200.300.401:55884] AH02043: SSL
virtual host for servername xxxdev.xxx.example.edu found
[Tue Apr 15 09:11:10.541132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(1850): [client 100.200.300.401:55884] AH02041:
Protocol: TLSv1.2, Cipher: RC4-SHA (128/128 bits)
[Tue Apr 15 09:11:10.543132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034: Initial
(No.1) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:10.543132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [ssl:debug] [pid 4844:tid 1040]
ssl_engine_kernel.c(226): [client 100.200.300.401:55884] AH02034:
Subsequent (No.2) HTTPS request received for child 52 (server
xxxdev.xxx.example.edu:443)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of Require valid-user : denied (no authenticated user
yet)
[Tue Apr 15 09:11:10.545132 2014] [authz_core:debug] [pid 4844:tid 1040]
mod_authz_core.c(799): [client 100.200.300.401:55884] AH01626:
authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Apr 15 09:11:10.545132 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
mod_authnz_ldap.c(500): [client 100.200.300.401:55884] AH01691: auth_ldap
authenticate: using URL ldaps://
ad.example.edu:636/DC=ad,DC=example,DC=edu?samAccountName?sub?(&(objectCategory=person)(|(CN=xxxtech)(memberOf=CN=dev_Admins,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_admins,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=ad,DC=example,DC=edu)(memberOf=CN=dev_Operators,OU=AdminGroups,OU=Groups,OU=dev,OU=EDUCATION,OU=DOMAINS,DC=domain,DC=ad,DC=example,DC=edu)))
But then, for steve the next line is:
[Tue Apr 15 09:11:10.551133 2014] [authnz_ldap:debug] [pid 4844:tid 1040]
mod_authnz_ldap.c(592): [client 100.200.300.401:55884] AH01697: auth_ldap
authenticate: accepting steve
Whereas for dev.frank, it's:
[Tue Apr 15 09:11:43.585436 2014] [authnz_ldap:info] [pid 4844:tid 1040]
[client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user
dev.frank authentication failed; URI /svn/databaseProject [User not
found][No Such Object]
Did that help?
> Would you be able to rebuild a patch, or ask your vendor to try
> selectively removing some of the recent LDAP changes?
I don't think they are willing to do this. You can see for yourself from
the original forum post; but they have done testing on their side and it
works for them. Thus, they have pointed me in the direction of httpd.
Am I willing? Er, yes. Just have to find the time and figure out
_exactly_ how/what needs to be compiled for me to do testing. The ideal
situation would be for me to isolate httpd and just authenticate through it
some how using my CollabNet Subversion Edge settings for LDAP.
On Tue, Apr 15, 2014 at 4:38 PM, Eric Covener <co...@gmail.com> wrote:
> Can you summarize how the logging differs in the two releases?
>
>
> Here are two candidates:
>
> *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
> instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
>
> *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying
> LDAP
> SDK option to OFF, and introduce "LDAPReferrals default" to take the
> SDK
> default, sans rebind authentication callback.
> [Jan Kaluza <kaluze AT redhat.com>]
>
> Would you be able to rebuild a patch, or ask your vendor to try
> selectively removing some of the recent LDAP changes?
>
> On Tue, Apr 15, 2014 at 3:55 PM, Marshall Httpd
> <ht...@gmail.com> wrote:
> > Hi,
> >
> > Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9. But, when that
> > happened, some of our users can no longer authenticate via LDAP. By
> "some",
> > I mean that we have 2 domains. Users from one domain are fine, but
> users in
> > the 2nd domain can no longer authenticate.
> >
> > E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
> > "authentication failed"
> >
> > The general error goes something like:
> > [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
> > AH01695: auth_ldap authenticate: user dev.frank authentication failed;
> URI
> > /svn/databaseProject [User not found][No Such Object]
> >
> > Has anyone experienced such a thing before? And/or know of the fix?
> >
> > Full disclosure: httpd.exe was upgraded by way of our CollabNet
> Subversion
> > Edge upgrade. I posed my question there first of course; but this really
> > does seem like its a httpd issue. And thus, here I am.
> > I captured a great deal of logging information along with configuration
> > settings in their forums. It's available here:
> >
> https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
> >
> >
> > Thank you,
> > Marshall
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Eric Covener <co...@gmail.com>.
On Tue, Apr 15, 2014 at 4:38 PM, Eric Covener <co...@gmail.com> wrote:
> Can you summarize how the logging differs in the two releases?
>
>
> Here are two candidates:
>
> *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
> instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
this one is n/a because it's authorization
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] auth_ldap fails after upgrading to 2.4.9
Posted by Eric Covener <co...@gmail.com>.
Can you summarize how the logging differs in the two releases?
Here are two candidates:
*) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]
*) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
default, sans rebind authentication callback.
[Jan Kaluza <kaluze AT redhat.com>]
Would you be able to rebuild a patch, or ask your vendor to try
selectively removing some of the recent LDAP changes?
On Tue, Apr 15, 2014 at 3:55 PM, Marshall Httpd
<ht...@gmail.com> wrote:
> Hi,
>
> Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9. But, when that
> happened, some of our users can no longer authenticate via LDAP. By "some",
> I mean that we have 2 domains. Users from one domain are fine, but users in
> the 2nd domain can no longer authenticate.
>
> E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
> "authentication failed"
>
> The general error goes something like:
> [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
> AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI
> /svn/databaseProject [User not found][No Such Object]
>
> Has anyone experienced such a thing before? And/or know of the fix?
>
> Full disclosure: httpd.exe was upgraded by way of our CollabNet Subversion
> Edge upgrade. I posed my question there first of course; but this really
> does seem like its a httpd issue. And thus, here I am.
> I captured a great deal of logging information along with configuration
> settings in their forums. It's available here:
> https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
>
>
> Thank you,
> Marshall
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org