RHEL’s Apache and LDAP Referrals
After upgrading to RHEL 5.7, one of my Apache servers which protects content using mod_ldap authenticating against Active Directory stopped working. Error logs showed the following:
auth_ldap authenticate: user xxxx authentication failed; URI /viewvc/
[ldap_search_ext_s() for user failed][Operations error]
This usually means there is a problem with referrals, but OpenLDAP was properly configured to not follow them (/etc/openldap.ldap.conf w/ REFERRALS off).
Turns out that buriedin the RHEL 5.7 release notes, this gem can be found. A brand new configuration directive called LDAPChaseReferrals. Apparently, when referrals are provided in a result-set, mod_ldap by default does not bind to them using the provided credentials. The new version of Apache in RHEL 5.7 corrects that and provides this new directive to enable or disable the feature.
However, I couldn’t find any documentation for it upstream, and after following the bugzilla link in the release notes realized that the Apache project had actually gone a different route and called their directive LDAPReferrals in addition to adding another directive to limit the number of hops that would be followed.
End result is that it appears Red Hat has added in a one-off and undocumented configuration directive. 🙂 Likely unintentionally, but this definitely led me to some confusion.
Opened a new bug to see about getting this resolved.