|
Home > Archive > Netware Webserver > December 2005 > Apache 2 failed to create path context with LDAP authentication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Apache 2 failed to create path context with LDAP authentication
|
|
| Ashland_removethispart_@ashland.edu 2005-12-06, 5:45 pm |
| We recently upgraded a Netware 6.0 server running Apache 1.3.x to Netware
6.5 sp4a with Apache 2.0.54. We had been using Mod_NDS to provide
authentication for internal webpages. This worked fine under Apache 1.3.
After the upgrade and much reconfiguration we are not able to consistently
authenticate using Mod_AUTH_LDAP. Using DStrace we can see the
authentication work and the appropriate UID being returned, but the Apache
error log shows "failed to create path context" err: -632.
This almost always fails for users in a specific containers and almost
always work for users in other containers. Making a user admin equivalent
does not enable them to login. I even temporarily set the LDAP anonymous
user to admin equivalent with no change.
Apache does load sapi_apache2.c, mod_jk.c, util_ldap.c, mod_auth_ldap.c,
and mod_edir.c.
Here is the section of the httpd.conf file for the virtual host we are
having issues with.
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerName eagleweb.ashland.edu
DocumentRoot VOL1:\eagleweb
# SOURCE OBJECT:
cn=eagleweb-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu
<Directory VOL1:\eagleweb>
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
</Directory>
# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu
Alias /facstaff "VOL1:/eagleweb/facstaff"
# SOURCE OBJECT:
cn=facstaff-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu
<Directory VOL1:/eagleweb/facstaff>
Options FollowSymLinks Indexes MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
require edir-user
AuthLDAPAuthoritative On
AuthLDAPURL ldap://jasper.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub
</Directory>
# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu
</VirtualHost>
Here are excerpt from the Apache error log showing both failed and
successful logins. We have replaced ipaddress and usernames, but they are
correct.
Log entry for user that fails
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting faileduser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(534): Checking mod_eDir
cache for purgible entries
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65537 for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [error] [client xxx.xxx.xxx.xxx] failed to
create path context for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on VOL1:. err:
-632 errno: 0, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(702): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authorise: authorisation denied, referer:
http://eagleweb.ashland.edu/home-header.htm
Log entry for user that gains access
[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting successfuluser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(534): Checking mod_eDir
cache for purgible entries
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65538 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(209): [client
xxx.xxx.xxx.xxx] Created path context 3 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(379): [client
xxx.xxx.xxx.xxx] Adding
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU to the cache,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(424): [client
xxx.xxx.xxx.xxx]
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU added to the
cache, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(240): [client
xxx.xxx.xxx.xxx] edir user
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU authorization
established, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(81): [client xxx.xxx.xxx.xxx]
Clean up hit, setting setcwd2 to NULL, referer:
http://eagleweb.ashland.edu/home-header.htm
Here is the DSTrace log for the failed user:
(server xxx.xxx.xxx.xxx)(0x0019:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=faileduser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending search result entry
" cn=faileduser,ou=FacStaff,ou=Users,ou=AU
-Main,o=ASHLANDU" to connection
0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Bind
name:cn=faileduser,ou=FacStaff,ou=Users,
ou=AU-Main,o=ASHLANDU, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
Checking for configuration changes
DSTrace log for successful user
(server xxx.xxx.xxx.xxx)(0x001c:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=successfuluser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending search result entry
" cn=successfuluser,ou=AcadTech,ou=Users,o
u=AU-Main,o=ASHLANDU" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Bind
name:cn=successfuluser,ou=AcadTech,ou=Us
ers,ou=AU-Main,o=ASHLANDU,
version:3, authentication:simple
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
Has anyone got this working? Do you see anything wrong with the conf file?
| |
| Automatic reply 2005-12-13, 7:45 am |
| Ashland,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/
|
|
|
|
|