[users@httpd] Odd behaviour with LDAP authentication

[Mike Sandells <M....@liverpool.ac.uk>]

We have a server running Apache 2.4.9 64bit, on Win server 2008 R2.

Mostly, this works fine, but there is a recurring problem with LDAP
authentication to our active directory domain.

LDAP authentication is done using an access control file with this sort
of content:

Authname "LDAP Test"
Authtype basic
AuthBasicProvider ldap
LDAPReferrals Off

AuthLDAPBindDN "[DN of our service account]"
AuthLDAPBindPassword [password of service account]

AuthLDAPURL ldap://[ourdomain]:389/OU=[some
ou]?sAMAccountName?sub?(objectclass=User)
Require valid-user

Every so often (once a month, roughly), this will stop working, with the
effect that users are prompted to enter their credentials again, (and
again, and again) even if valid credentials were provided. Eventually
they give up and get a 401 error.

My understanding of how this works (when it works) is that the binddn
and bind password allow apache to look up the context of the username
provided by the user, and to then bind as that user using the password
that the user provided. i.e. a working authentication is a two-stage
process involving an initial bind as the service account followed by a
bind as the user in question.

I've done packet traces of the server in both a working and non-working
state, and it appears that what is failing is the bind as the service
account.

i.e. every so often, binding as the service account stops working, and
continues to not work until the server is restarted. It never gets as
far as attempting to bind with the password the user provided, but
doesn't count this as an internal server error, and returns a 401.

Restarting the server fixes the problem, which makes it difficult to say
that there's anything amiss with the access control files or the server
configuration generally, or the service account.

One possibility that occurred to me was a stray access control file
somewhere with an incorrect password for the service account, that was
causing the account to be locked out for bad password attempts, but the
service account isn't locked while the problem occurs; restarting the
server fixes it immediately; and the account has a bad password count of
zero. I'm also unable to find any access control files weith invalid
details.

I've not spotted any pattern in the times when this has recurred - it's
roughly once a month, but not that regular.

Anyone any ideas or suggestions as to what might be causing the problem,
or how to get more useful diagnostics the next time this happens?


As a temporary measure, I've added a hosts file entry to the server such
that [ourdomain] always resolves to a particular domain controller that
I have reason to think works. But I have no reason to suspect any of our
domain controllers as being at fault, and have done test LDAP lookups
against all of them to test access.


Mike
-- 
Mike Sandells
The University of Liverpool - Computing Services Department
Email: mikejs@liv.ac.uk (Preferred) -  Phone: 0151 794 4437
http://www.liv.ac.uk/csd

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Odd behaviour with LDAP authentication

[Mike Sandells <M....@liverpool.ac.uk>]

On 15/07/2015 16:51, Mike Sandells wrote:

> [Intermittent LDAP authentication failures]

As is often the case, we got to the bottom of this fairly quickly after
posting the above.

It was a problem with a specific domain controller, and having fixed
that, all is now normal...

Mike
-- 
Mike Sandells
The University of Liverpool - Computing Services Department
Email: mikejs@liv.ac.uk (Preferred) -  Phone: 0151 794 4437
http://www.liv.ac.uk/csd

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org