We recently upgraded a Netware 6.0 server running Apache 1.3.x to Netware
6.5 sp4a with Apache 2.0.54.  We had been using Mod_NDS to provide
authentication for internal webpages.  This worked fine under Apache 1.3.
After the upgrade and much reconfiguration we are not able to consistently
authenticate using Mod_AUTH_LDAP.  Using DStrace we can see the
authentication work and the appropriate UID being returned, but the Apache
error log shows "failed to create path context" err: -632.

This almost always fails for users in a specific containers and almost
always work for users in other containers.  Making a user admin equivalent
does not enable them to login. I even temporarily set the LDAP anonymous
user to admin equivalent with no change.

Apache does load sapi_apache2.c, mod_jk.c, util_ldap.c, mod_auth_ldap.c,
and mod_edir.c.

Here is the section of the httpd.conf file for the virtual host we are
having issues with.

<VirtualHost xxx.xxx.xxx.xxx:80>
ServerName eagleweb.ashland.edu
DocumentRoot VOL1:\eagleweb

# SOURCE OBJECT:
cn=eagleweb-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu

<Directory VOL1:\eagleweb>
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
</Directory>

# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu

Alias /facstaff "VOL1:/eagleweb/facstaff"

# SOURCE OBJECT:
cn=facstaff-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu

<Directory VOL1:/eagleweb/facstaff>
Options FollowSymLinks Indexes MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
require edir-user
AuthLDAPAuthoritative On
AuthLDAPURL ldap://jasper.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub
</Directory>

# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu

</VirtualHost>

Here are excerpt from the Apache error log showing both failed and
successful logins.  We have replaced ipaddress and usernames, but they are
correct.


Log entry for user that fails

[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting faileduser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(534): Checking mod_eD
ir
cache for purgible entries
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65537 for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [error] [client xxx.xxx.xxx.xxx] fail
ed to
create path context for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on VOL1:. err:
-632 errno: 0, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(702): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authorise: authorisation denied, referer
:
http://eagleweb.ashland.edu/home-header.htm

Log entry for user that gains access

[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting successfuluser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(534): Checking mod_eD
ir
cache for purgible entries
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65538 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(209): [client
xxx.xxx.xxx.xxx] Created path context 3 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(379): [client
xxx.xxx.xxx.xxx] Adding
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU to the cache,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(424): [client
xxx.xxx.xxx.xxx]
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU added to the
cache, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(240): [client
xxx.xxx.xxx.xxx] edir user
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU authorization
established, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(81): [client xxx.x
xx.xxx.xxx]
Clean up hit, setting setcwd2 to NULL, referer:
http://eagleweb.ashland.edu/home-header.htm

Here is the DSTrace log for the failed user:

(server xxx.xxx.xxx.xxx)(0x0019:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
filter: "(&(objectclass=*)(uid=faileduser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending search result entry
" cn=faileduser,ou=FacStaff,ou=Users,ou=AU
-Main,o=ASHLANDU" to connection
0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Bind
 name:cn=faileduser,ou=FacStaff,ou=Users,
ou=AU-Main,o=ASHLANDU, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
Checking for configuration changes

DSTrace log for successful user

(server xxx.xxx.xxx.xxx)(0x001c:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2  dereference:3  sizelimit:0  timelimit:0  attrsonly:0
filter: "(&(objectclass=*)(uid=successfuluser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending search result entry
" cn=successfuluser,ou=AcadTech,ou=Users,o
u=AU-Main,o=ASHLANDU" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Bind
 name:cn=successfuluser,ou=AcadTech,ou=Us
ers,ou=AU-Main,o=ASHLANDU,
version:3, authentication:simple
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Sending operation result 0:"":"" to
connection 0x82144b60

Has anyone got this working?  Do you see anything wrong with the conf file?

[ Post a follow-up to this message ]

Ashland,

It appears that in the past few days you have not received a response to you
r
posting.  That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following o
ptions:

- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.js
p
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in t
he
correct newsgroup. (http://support.novell.com/forums)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html

If this is a reply to a duplicate posting, please ignore and accept our apol
ogies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

[ Post a follow-up to this message ]