auth_ldap returns "Password Mismatch" but the password is correct

auth_ldap returns "Password Mismatch" but the password is correct

am 03.12.2009 10:13:43 von Sandro Tosi

Hello,
we've migrated part of our apache auth to LDAP, but suddenly we receive
errors like "Password Mismatch" while the user's password is correct.

In the log we can read:

[Wed Dec 02 17:42:54 2009] [warn] [client ] [3659] auth_ldap
authenticate: user authentication failed; URI /
[ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
[Wed Dec 02 17:42:54 2009] [error] [client ]] user :
authentication failure for "/": Password Mismatch

but if we use ldapsearch command to bind to the ldap servers, with the
very same username & password the user can login successfully.

The httpd.conf ldap relevant entries are:

# grep -i ldap /usr/local/apache/conf/httpd.conf
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LDAPVerifyServerCert Off
LDAPTrustedMode STARTTLS
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

while the .htaccess we use is:

AuthType Basic
AuthName ""
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPURL ldaps:///dc=ABC,dc=DEF?uid?sub?(objectClass=*)
require ldap-group

The password mismatch for a user usually goes away after apache is
restarted, but then other users (that were able to login before restart)
start facing the login incorrect.

Could you please suggest what to do to resolve this really annoying problem?

Thanks in advance,
Sandro

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: auth_ldap returns "Password Mismatch" but the passwordis correct

am 18.12.2009 09:30:17 von Sandro Tosi

Didn't anyone experience "weird things" with ldap authentication? Like:

- password mismatch that get solved by restarting apache
- password error, wait 10 minutes, relogin (with same username/password)
and you can enter

Any help and suggestion is appreciate, this is really critical for us
and we can't find any clear information about it.

Regards,
Sandro

Sandro Tosi wrote:
> Hello,
> we've migrated part of our apache auth to LDAP, but suddenly we receive
> errors like "Password Mismatch" while the user's password is correct.
>
> In the log we can read:
>
> [Wed Dec 02 17:42:54 2009] [warn] [client ] [3659] auth_ldap
> authenticate: user authentication failed; URI /
> [ldap_simple_bind_s() to check user credentials failed][Invalid credentials]
> [Wed Dec 02 17:42:54 2009] [error] [client ]] user :
> authentication failure for "/": Password Mismatch
>
> but if we use ldapsearch command to bind to the ldap servers, with the
> very same username & password the user can login successfully.
>
> The httpd.conf ldap relevant entries are:
>
> # grep -i ldap /usr/local/apache/conf/httpd.conf
> LoadModule ldap_module modules/mod_ldap.so
> LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
> LDAPVerifyServerCert Off
> LDAPTrustedMode STARTTLS
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> while the .htaccess we use is:
>
> AuthType Basic
> AuthName ""
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative Off
> AuthLDAPBindDN
> AuthLDAPBindPassword
> AuthLDAPURL ldaps:///dc=ABC,dc=DEF?uid?sub?(objectClass=*)
> require ldap-group
>
> The password mismatch for a user usually goes away after apache is
> restarted, but then other users (that were able to login before restart)
> start facing the login incorrect.
>
> Could you please suggest what to do to resolve this really annoying problem?
>
> Thanks in advance,
> Sandro
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org