Frequently Asked Questions

Here is a list of frequently asked questions (and answers) for auth_ldap. More questions and answers can be found on the auth_ldap mailing list, at http://www.rudedog.org/auth_ldap/.

Contents

• Where is ldap_ssl.h?
• Compile Dies with Error About __builtin_va_alist
• Compile Dies With "-o: not found"
• Undefined Symbols for LoadModule
• Incompatible Module after Apache Upgrade
• Apache Doesn't Recognize Any auth_ldap Directives
• Undefined Symbol: pthread_create
• Apache Crashes with a Segfault
• Can I Pass the LDAP Password to a CGI Program?
• auth_ldap Asks for Authentication Twice
• AuthType (or AuthName) Not Set
• Cannot Parse LDAP URL
• Some DNs Don't Match with the require group Directive

The Questions

Question:

During compilation, it wants ldap_ssl.h. Where can I find this file?

Answer:

This file comes with the Netscape SDK and the OpenLDAP SDK.

Question:

I'm trying to compile auth_ldap with GCC on a Solaris system, and the compile dies with

auth_ldap.c: In function `auth_ldap_log_reason':
auth_ldap.c:130: `__builtin_va_alist' undeclared (first use in this
function)
auth_ldap.c:130: (Each undeclared identifier is reported only once
auth_ldap.c:130: for each function it appears in.)
*** Error code 1
make: Fatal error: Command failed for target `auth_ldap.o'
Exit 1
      

Answer:

auth_ldap is being compiled with the -I/usr/include option. Figure out why, and get rid of it. Compiling with -I/usr/include and GCC causes GCC's varargs to barf.

Question:

I'm trying to compile auth_ldap and I get the following output

gcc -c -o auth_ldap.o -DSOLARIS2=270 -DUSE_EXPAT -I../lib/expat-lite
-Wall -I/usr/local/apache/include -I/disk/SDK/include auth_ldap.c
gcc -c -o auth_ldap_config.o -DSOLARIS2=270 -DUSE_EXPAT
-I../lib/expat-lite -Wall -I/usr/local/apache/include
-I/disk/SDK/include auth_ldap_config.c
gcc -c -o auth_ldap_cache.o -DSOLARIS2=270 -DUSE_EXPAT
-I../lib/expat-lite -Wall -I/usr/local/apache/include
-I/disk/SDK/include auth_ldap_cache.c
-o auth_ldap.so auth_ldap.o auth_ldap_config.o auth_ldap_cache.o
-lldapssl40
/bin/sh: -o: not found
make: *** [auth_ldap.so] Error 1
      

Answer:

This is typically caused when Apache hasn't been compiled with dynamic module (mod_so) support. The output of the command apxs -q LD_SHLIB is blank, when it should print the name of the loader program to use (usually ld). If you're sure that your Apache has been built with mod_so, you should try to rebuild Apache from a clean build tree. I have seen instances where the apxs command was out of date with respect to the real Apache configuration, and a clean rebuild fixed it.

Question:

The module compiled fine, but when Apache tries to load it, I get the message

Syntax error on line 202 of /opt/apache/conf/httpd.conf:
Cannot load /opt/apache/libexec/auth_ldap.so into server:
/opt/apache/libexec/auth_ldap.so: undefined symbol: ldap_foo_bar
/opt/apache/bin/apachectl start: httpd could not be started 

Answer:

Apache is not finding the LDAP shared libraries. This is very common if the libraries are not put into /usr/lib or some other directory that the shared loader automatically searches.

On Solaris, you can supply the runtime search path at link time by adding -R/path/to/ldap/libdir to LIBS in the Makefile.

On Linux, you could add the path to /etc/ld.so.conf, or you could add -Wl,-rpath,/path/to/ldap/libdir to LIBS in the Makefile.

Other operating systems probably have similar solutions.

Note that configure will not figure this out for you. If you need to have these extra flags, then invoke configure with extra values for LDFLAGS. For example, under Linux, you would run

LDFLAGS='-Wl,-rpath,/path/to/ldap/libdir' ./configure --option ...

Question:

auth_ldap was working fine under my old version of Apache, but now that we've upgraded Apache, auth_ldap doesn't work any more. Apache says that the module is incompatible with this version of Apache.

Answer:

Whenever you upgrade Apache, you usually have to re-compile all of your extra Apache modules. Apache makes no guarantees that a module will be binary-compatible between releases. Modules are usually source-compatible between releases, and auth_ldap is known to work with all of the 3.x versions of Apache.

Question:

The module builds fine, and the LoadModule works OK, but if I try to use some auth_ldap directives, I get the following error:

Syntax error on line 937 of /etc/httpd/conf/httpd.conf:
Invalid command 'AuthLDAPURL', perhaps mis-spelled or defined by a
  module not included in the server configuration
      

Answer:

It's possible that you have a ClearModuleList directive in your Apache configuration. If so, you will also need a AddModule auth_ldap.c directive. The default httpd.conf file that is distributed with Apache usually does have the ClearModuleList directive, so this is very likely to occur if your Apache configuration is based on the distributed one.

Question:

auth_ldap compiles fine, but when I try to load it with the LoadModule directive, Apache complains with the error undefined symbol: pthread_create. I'm using the Netscape SDK on Linux.

Answer:

You have to add -lpthread to LIBS in the Makefile.

Question:

Apache crashes with a segfault.

Answer:

One situation where I've seen this is if you are using PHP with LDAP support and PHP is linked against one LDAP SDK, while auth_ldap is linked against a different LDAP SDK.

Question:

How can I pass the LDAP password to a CGI program?

Answer:

The short answer is that you can't.

The long answer is that there are a couple of ways to do this, but enabling this can cause an extremely big security hole on your server unless you completely understand the implications of what you're about to do.

First, Apache has an un-documented compile-time option that will cause it to pass the Authorization header to CGI programs, so if you absolutely feel that you need this, you should read the Apache source and re-compile Apache.

Some embedded scripting languages, such as mod_perl and PHP, provide you with access to all of Apache's internal variables, so you could also use these to access the password. If you are already using Perl CGI programs, then it would be fairly easy to migrate them to mod_perl using Apache::Registry.

I have had a lot of requests for this feature (and even a couple of patches), but I am loathe to add this to auth_ldap because it adds one more potential vulnerability to the Apache server, and it would further complicate any security audit. Since there are already multiple mechanisms available to to access the password, I don't believe that adding another one to auth_ldap would be appropriate.

Question:

auth_ldap is working, but the first time I load a page, it asks for authentication twice.

Answer:

This is not really an auth_ldap problem. It usually happens when Apache authenticates a client, then sends the client a redirect. The client thinks that the redirected page is not in the same realm as the page it already provided credentials for, so it doesn't send the credentials when it does its new request, causing Apache to ask for credentials again. This is most common when the first URL was for a directory, but didn't include the trailing slash. For more information, see the Apache FAQ.

Question:

auth_ldap loads fine, but when I try to protect a directory, it doesn't work. The Apache logs say Couldn't perform authentication. AuthType not set!

Answer:

You need to provide both the AuthType and AuthName directives. These are standard Apache directives, and are required for any authentication module.

Question:

I'm using auth_ldap with OpenLDAP, and when it starts, I get the error message Cannot parse LDAP URL. The URL looks fine to me.

Answer:

The exact cause of this problem is not yet known, but it appears to be some kind of strange interaction with Apache and OpenLDAP. Make sure that you have the latest versions of each.

Question:

The require group directive only works if the spaces in the user's DN exactly match the spaces for the uniquemember attribute in the group entry. I thought spaces didn't matter in distinguished names? I'm using OpenLDAP.

Answer:

OpenLDAP doesn't define the uniquemember attribute. If an attribute is not defined in OpenLDAP, it defaults to having CIS syntax. With DN syntax, differing whitespace is considered equal in an LDAP compare, but with CIS syntax, differing whitespace is considered different. You will have to add uniquemember to your slapd.at.conf file.