Ray Van Dolson's Blog

Pontifications from smoggy Southern California

RHEL’s Apache and LDAP Referrals

with 4 comments

After upgrading to RHEL 5.7, one of my Apache servers which protects content using mod_ldap authenticating against Active Directory stopped working. Error logs showed the following:

auth_ldap authenticate: user xxxx authentication failed; URI /viewvc/ 
    [ldap_search_ext_s() for user failed][Operations error]

 

This usually means there is a problem with referrals, but OpenLDAP was properly configured to not follow them (/etc/openldap.ldap.conf w/ REFERRALS off).

Turns out that buriedin the RHEL 5.7 release notes, this gem can be found. A brand new configuration directive called LDAPChaseReferrals. Apparently, when referrals are provided in a result-set, mod_ldap by default does not bind to them using the provided credentials. The new version of Apache in RHEL 5.7 corrects that and provides this new directive to enable or disable the feature.

However, I couldn’t find any documentation for it upstream, and after following the bugzilla link in the release notes realized that the Apache project had actually gone a different route and called their directive LDAPReferrals in addition to adding another directive to limit the number of hops that would be followed.

End result is that it appears Red Hat has added in a one-off and undocumented configuration directive. 🙂 Likely unintentionally, but this definitely led me to some confusion.

Opened a new bug to see about getting this resolved.

Written by Variant

August 1, 2011 at 2:21 pm

Posted in Systems Administration, Technology

Tagged with , ,

«
»

4 Responses

Subscribe to comments with RSS.

  1. I think I am one of the confused. I am trying to authenticate against AD with users spread over many OU’s. Authentication is only successful if I add a specific OU to the base, and only for those users. I want to search all OU’s but am get the error you have above. I’ve read setting REFERRALS off will fix this but it does not appear to in my case. I am running RHEL5, do I need to set one of the Red Hat specific directives?

    Michael Moore

    December 3, 2011 at 1:01 pm

    Reply

    • Can you give a bit more info? Are you referring to subdomains (where referrals would likely come into play) or multiple, non-overlapping top level base DN’s?

      For the former, following referrals or querying the global catalog should be sufficient.

      For the latter, I’m not sure how you’d accomplish it without having an absolute top-level base DN you could start a search from that would encompass all child OU’s. That of course can be done without referrals at all.

      rayvd

      December 3, 2011 at 1:35 pm

      Reply

      • I believe I have the second case, it’s just a single domain. My base is like: DC=DOMAIN,DC=MSFT and I am trying to search all of the OU’s below it. Apache LDAP searches fail unless I specify an OU. I found http://http://acksyn.org/diary/?p=227 which sounded identical to my issue but the fix had no effect. I have tried everything I can think of (including switching to mod_authnz_ldap) and finally decided there must be something different about my distro. Looking into that brought me here. I understood your post to mean that Red Hat may indeed have different steps to set Referrals off.

        Michael Moore

        December 3, 2011 at 7:53 pm

  2. so what exactly did you do to get it working again?

    Ryan Belcher

    March 9, 2012 at 11:26 am

    Reply

Leave a comment