You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sandro Tosi <sa...@register.it> on 2009/12/03 10:13:43 UTC
[users@httpd] auth_ldap returns "Password Mismatch" but the password is correct
Hello,
we've migrated part of our apache auth to LDAP, but suddenly we receive
errors like "Password Mismatch" while the user's password is correct.
In the log we can read:
[Wed Dec 02 17:42:54 2009] [warn] [client <IP ADDRESS>] [3659] auth_ldap
authenticate: user <user> authentication failed; URI /
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Wed Dec 02 17:42:54 2009] [error] [client <IP ADDRESS>]] user <user>:
authentication failure for "/": Password Mismatch
but if we use ldapsearch command to bind to the ldap servers, with the
very same username & password the user can login successfully.
The httpd.conf ldap relevant entries are:
# grep -i ldap /usr/local/apache/conf/httpd.conf
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LDAPVerifyServerCert Off
LDAPTrustedMode STARTTLS
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
while the .htaccess we use is:
AuthType Basic
AuthName "<name>"
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN <uid for bind>
AuthLDAPBindPassword <pwd>
AuthLDAPURL ldaps://<server>/dc=ABC,dc=DEF?uid?sub?(objectClass=*)
require ldap-group <CN for the auth group>
The password mismatch for a user usually goes away after apache is
restarted, but then other users (that were able to login before restart)
start facing the login incorrect.
Could you please suggest what to do to resolve this really annoying problem?
Thanks in advance,
Sandro
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] auth_ldap returns "Password Mismatch" but the password
is correct
Posted by Sandro Tosi <sa...@register.it>.
Didn't anyone experience "weird things" with ldap authentication? Like:
- password mismatch that get solved by restarting apache
- password error, wait 10 minutes, relogin (with same username/password)
and you can enter
Any help and suggestion is appreciate, this is really critical for us
and we can't find any clear information about it.
Regards,
Sandro
Sandro Tosi wrote:
> Hello,
> we've migrated part of our apache auth to LDAP, but suddenly we receive
> errors like "Password Mismatch" while the user's password is correct.
>
> In the log we can read:
>
> [Wed Dec 02 17:42:54 2009] [warn] [client <IP ADDRESS>] [3659] auth_ldap
> authenticate: user <user> authentication failed; URI /
> [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
> [Wed Dec 02 17:42:54 2009] [error] [client <IP ADDRESS>]] user <user>:
> authentication failure for "/": Password Mismatch
>
> but if we use ldapsearch command to bind to the ldap servers, with the
> very same username & password the user can login successfully.
>
> The httpd.conf ldap relevant entries are:
>
> # grep -i ldap /usr/local/apache/conf/httpd.conf
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LDAPVerifyServerCert Off
> LDAPTrustedMode STARTTLS
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> while the .htaccess we use is:
>
> AuthType Basic
> AuthName "<name>"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative Off
> AuthLDAPBindDN <uid for bind>
> AuthLDAPBindPassword <pwd>
> AuthLDAPURL ldaps://<server>/dc=ABC,dc=DEF?uid?sub?(objectClass=*)
> require ldap-group <CN for the auth group>
>
> The password mismatch for a user usually goes away after apache is
> restarted, but then other users (that were able to login before restart)
> start facing the login incorrect.
>
> Could you please suggest what to do to resolve this really annoying problem?
>
> Thanks in advance,
> Sandro
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org