ldap authentication fails with the following message in the error log:

-----------------
[Sat Jun 17 21:11:19 2006] [debug] mod_auth_ldap.c(337): [client
192.168.x.x] [22698] auth_ldap authenticate: using URL
ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectCla ss=*)
[Sat Jun 17 21:11:19 2006] [warn] [client 192.168.x.x] [22698]
auth_ldap authenticate: user flastname authentication failed; URI /test
[ldap_search_ext_s() for user failed][Operations error]
[Sat Jun 17 21:11:28 2006] [debug] mod_headers.c(527): headers:
ap_headers_output_filter()
-----------------

this is the relevant config:

-----------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthLDAPURL
ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectCla ss=*)
AuthLDAPBindDN "CN=BindLDAPUsername,OU=Generic
IDs,DC=XYZ,DC=ABC,DC=com"
AuthLDAPBindPassword password
Require valid-user
</Location>
-----------------

when i capture the traffic between the AD and apache, i can see the
bind happen, then the query, then the response with one record and
proper sAMAccountName, but no subsequent bind to the LDAP server using
the DN and the password passed by the HTTP client.

i can run the same exact query using ldapsearch and it gets back
identical results (and captured traffic looks the same):

-----------------
ldapsearch -v -W -x \
-D"CN=BindLDAPUsername,OU=Generic IDs,DC=XYZ,DC=ABC,DC=com" \
-H ldap://ad.host.name.com:389 \
-b "DC=XYZ,DC=ABC,DC=com" \
"(&(objectClass=*)(sAMAccountName=flastname))" sAMAccountName
-----------------


tcpdump capture between apache and AD:
http://rafb.net/paste/results/9Duquf89.html

software:
---------
openldap 2.3.21 from sunfreeware.com
solaris sparc 8
apache 2.0.55

thank you.

to be a bit more specific, what i am not seeing is another bind request
to AD that looks like this:

-----------
Lightweight Directory Access Protocol
LDAP Message, Bind Request
Message Id: 1
Message Type: Bind Request (0x00)
Version: 3
DN: CN=Lastname\,
Firstname,OU=Users-BLAH-BLAH,OU=BLAH2,DC=XYZ,DC=ABC,DC=com
Auth Type: Simple (0x00)
Password: user's password that i provided in the browser
-----------

....followed by a successful response from AD.

it seems that the initial response to a search query that it got back
from AD is unsatisfactory, so it does not even try to bind with the
newly found name. any ideas why this is happening?

i even tried some other products (not apache) where AD auth works, and
their network capture looks just like apache's, except they also do the
second bind.

any pointers/suggestions are appreciated.

thank you.

I made some progress:

after reading this post: http://tinyurl.com/rzjzf i have changed my
config from

AuthLDAPURL
ldap://ad.host.name.com:389/DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?(objectCla ss=*)

to

AuthLDAPURL
ldap://ad.host.name.com:389/OU=BLAH2,DC=XYZ,DC=ABC,DC=com?sAMAccountName?sub?( objectClass=*)

and that worked, confirming the theory that apache's ldap gets confused
when encountering LDAP search result reference in the LDAP response
from the initial search (see
http://rafb.net/paste/results/9Duquf89.html). once OU has been
provided, apache's LDAP works fine, since reference is not returned
anymore.

however this is not an option for me, since in my case OU=BLAH* is
actually referring to different campuses in multiple cities, so there
is no single all-encompassing entity underneath the root of the AD that
includes all the users.

fiddling with AuthLDAPDereferenceAliases (setting it to all available
options) did not make any difference.

this behavior has been confirmed in 2.0.55 and 2.2.2 using openldap
2.3.21.

any suggestions on making it work while binding to the root of the
tree?

thank you

trying a few more things:

compiled apache 2.2.2 with Sun Microsystems Inc. LDAP SDK that came
with solaris:

$ pkginfo -l SUNWlldap
PKGINST: SUNWlldap
NAME: LDAP Libraries
CATEGORY: system
ARCH: sparc
VERSION: 11.8.0,REV=2000.01.08.18.12
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Ldap libraries in for software development of dynamically
linked executables
PSTAMP: on28-patch20040428123135
INSTDATE: Aug 06 2004 06:00

apache behavior is the same - if i do not bind to the root directly,
but provide OU, then it works. if i do not provide OU, it seems to get
into a loop when it searches for the sAMAccountName, gets a result with
a reference, searches the reference, unbinds, and then repeats the
whole thing (i have network traces to confirm this). changing values of
AuthLDAPDereferenceAliases has no effect on this behavior.

any suggestions? i think i am about ready to file a bug/enhancement
report for ldap + active directory.

thank you.

SOLVED. see this thread for more details:
http://mail-archives.apache.org/mod_...net.ptc.com%3e

in short - use global catalog (http://tinyurl.com/pbhhr) instead of
domain-level lookup. in order to do this, use port 3268 instead of 389.

now apache 2.0.55 and 2.2.2 work fine with bundled SUN LDAP SDK, as
well as OpenLDAP.

the network trace looks exactly the way it should (no reference record
returned by AD).

reading up on global catalog does not make it obvious that i should
have used it, especially since other apps that rely on AD
authentication work fine against port 389, ignoring the references (and
we only have one domain).

just for the reference, this is my working 2.0.55 config:

-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

<IfModule mod_auth_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic
IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
Require valid-user
</Location>
</IfModule>
-------------


and 2.2.2:

-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<IfModule mod_authnz_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthBasicProvider ldap
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic
IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
AuthzLDAPAuthoritative Off
Require valid-user
</Location>
</IfModule>
-------------

hopefully this will someone.

SOLVED. see this thread for more details:
http://mail-archives.apache.org/mod_...net.ptc.com%3e

in short - use global catalog (http://tinyurl.com/pbhhr) instead of
domain-level lookup. in order to do this, use port 3268 instead of 389.

now apache 2.0.55 and 2.2.2 work fine with bundled SUN LDAP SDK, as
well as OpenLDAP.

the network trace looks exactly the way it should (no reference record
returned by AD).

reading up on global catalog does not make it obvious that i should
have used it, especially since other apps that rely on AD
authentication work fine against port 389, ignoring the references (and
we only have one domain).

just for the reference, this is my working 2.0.55 config:

-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

<IfModule mod_auth_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic
IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
Require valid-user
</Location>
</IfModule>
-------------


and 2.2.2:

-------------
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

<IfModule mod_authnz_ldap.c>
<Location /test>
AuthType Basic
AuthName "LDAP test"
AuthBasicProvider ldap
AuthLDAPURL
ldap://ad.host.name.com:3268/DC=ABC,DC=DEF,DC=com?sAMAccountName
AuthLDAPBindDN "CN=LDAPBindUsername,OU=Generic
IDs,DC=ABC,DC=DEF,DC=com"
AuthLDAPBindPassword BindUserPassword
AuthzLDAPAuthoritative Off
Require valid-user
</Location>
</IfModule>
-------------

hopefully this will someone.