[Auth_ldap] Problems during authentication phase with auth_ldap 1.6.1 andapache 1.3.9

Gary Walker gwalker at blackboard.com
Tue Aug 15 07:01:15 PDT 2006 

Hi.  I'm new to the list and hoping someone can help me explain some of
the following behaviors.

I'm troubleshooting a problem with auth_ldap's behavior on an older
system.  I'm using the latest auth_ldap source built against apache
1.3.9 and openldap 1.2.9.  Here's a sample of my .htaccess file:

AuthLDAPAuthoritative   off
AuthName        "Login"
AuthType        Basic
AuthLDAPVersion "3"
AuthLDAPBindDN  "uid=searchuser, ou=specials, dc=blackboard, dc=com"
AuthLDAPBindPassword    searchuserpassword
AuthLDAPURL     ldap://localhost:8001/dc=blackboard, dc=com
AuthUserFile    /dev/null
<Limit PUT POST GET>
require valid-user
</Limit>

Localhost:8001 is linked to the SSL LDAP port on the LDAP server by
stunnel.  The LDAP server is running SunOne directory server 5.2P2.

What's happening is this--auth_ldap is authenticating regardless of
whether or not a valid password has been entered so long as a username
which exists in the LDAP directory is used.  Here's the error log from
apache:

[Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(145): [client
10.10.107.100] {25005} Entering auth_ldap_connect_to_server
[Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(165): [client
10.10.107.100] {25005} Opening connection to ldap server(s) `localhost'
[Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(168): [client
10.10.107.100] {25005} LDAP OP: init
[Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(288): [client
10.10.107.100] {25005} Binding to server `localhost' as uid=searchuser,
ou=specials, dc=blackboard, dc=com/searchuserpassword
[Tue Aug 15 09:31:30 2006] [debug] auth_ldap.c(298): [client
10.10.107.100] {25005} LDAP OP: simple bind
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(605): [client
10.10.107.100] {25005} Peforming a search (scope=2) with filter
(&(objectclass=*)(uid=gwalker))
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(609): [client
10.10.107.100] {25005} LDAP OP: search
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(616): [client
10.10.107.100] {25005} Server is down; reconnecting and starting over
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(112): [client
10.10.107.100] {25005} Server is down; reconnecting and starting over
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(116): [client
10.10.107.100] {25005} Freeing connection to ldap server(s) `localhost'
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(145): [client
10.10.107.100] {25005} Entering auth_ldap_connect_to_server
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(165): [client
10.10.107.100] {25005} Opening connection to ldap server(s) `localhost'
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(168): [client
10.10.107.100] {25005} LDAP OP: init
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(288): [client
10.10.107.100] {25005} Binding to server `localhost' as uid=searchuser,
ou=specials, dc=blackboard, dc=com/searchuserpassword
[Tue Aug 15 09:31:31 2006] [debug] auth_ldap.c(298): [client
10.10.107.100] {25005} LDAP OP: simple bind
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(605): [client
10.10.107.100] {25005} Peforming a search (scope=2) with filter
(&(objectclass=*)(uid=gwalker))
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(609): [client
10.10.107.100] {25005} LDAP OP: search
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(616): [client
10.10.107.100] {25005} Server is down; reconnecting and starting over
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(112): [client
10.10.107.100] {25005} Server is down; reconnecting and starting over
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(116): [client
10.10.107.100] {25005} Freeing connection to ldap server(s) `localhost'
[Tue Aug 15 09:31:32 2006] [debug] auth_ldap.c(145): [client
10.10.107.100] {25005} Entering auth_ldap_connect_to_server

Now, the strange thing is this:  auth_ldap is reporting that the server
is down/reconnecting/starting over.  When I tcpdump the port, I see
clearly that the LDAP server responds to the search request with the
record for the user, including the user's DN.

Has anyone seen this behavior previously?  Is there anything I can do to
resolve it?

Thanks for your assistance,

Gary
gewalker at gmail.com
gwalker at blackboard.com



This e-mail is intended only for the personal and confidential use of the recipient(s) named above. 
It may include Blackboard confidential and proprietary information, and is not for redistribution.

More information about the Auth_ldap mailing list