Debugging Apache LDAP Authentication Failures: Can’t Contact LDAP Server Error


2 views

When Apache suddenly stops communicating with your LDAP server while other services continue working normally, it's one of those head-scratching moments that can ruin your day. The specific error we're seeing:

auth_ldap authenticate: user foo authentication failed; URI /FrontPage 
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

This is particularly frustrating because:

  • Command-line ldapsearch works fine
  • System logins via LDAP function normally
  • The configuration hasn't changed recently
  • SSL certificate renewals didn't resolve the issue

Before diving deep, let's verify some fundamentals:

# Test basic LDAP connectivity
ldapsearch -x -H ldaps://domain.server.ip -b "dc=full,dc=context,dc=server,dc=name" \
-D "cn=ldapbinduser,cn=Users,dc=full,dc=context,dc=server,dc=name" -w password

# Check certificate validity
openssl s_client -connect domain.server.ip:636 -showcerts

The configuration snippet shows a common setup, but let's enhance it with troubleshooting parameters:

<Directory "/web/wiki/">
    # Existing configuration
    AuthLDAPUrl "ldaps://domain.server.ip/dc=full,dc=context,dc=server,dc=name?sAMAccountName?sub"
    
    # Add these debugging parameters
    AuthLDAPMaxSubGroupDepth 10
    AuthLDAPSubGroupAttribute member
    AuthLDAPSubGroupClass group
    AuthLDAPBindAuthoritative off
    LDAPVerifyServerCert off
    
    # Logging directives
    LogLevel debug
    ErrorLog /var/log/apache2/ldap_debug.log
</Directory>

Certificate Chain Issues

Even if your certificate isn't expired, intermediate certificate problems can cause silent failures. Try:

# Update CA certificates
apt-get install ca-certificates  # Debian/Ubuntu
yum install ca-certificates      # CentOS/RHEL

# Configure Apache to use system certs
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/ca-certificates.crt

Timeout Parameters

Network blips might require adjusting timeouts:

LDAPConnectionTimeout 30
LDAPOpTimeout 45
LDAPRetryDelay 1
LDAPRetryLimit 3

Protocol Version Mismatch

Some AD servers require explicit protocol specification:

LDAPProtocolVersion 3
AuthLDAPInitialBindAsUser on

When standard approaches fail, try these methods:

# Strace Apache processes
strace -f -p $(pgrep apache2) -e trace=network -s 10000 -o /tmp/apache_ldap.strace

# Network packet capture
tcpdump -i any -w ldap_capture.pcap port 636

# LDAP library debugging
export LDAPDEBUG=65535
systemctl restart apache2

If problems persist, consider these architectural alternatives:

# Option 1: Fallback to non-SSL (temporary test only)
AuthLDAPUrl "ldap://domain.server.ip/dc=full,dc=context,dc=server,dc=name?sAMAccountName?sub"

# Option 2: Use explicit port specification
AuthLDAPUrl "ldaps://domain.server.ip:636/dc=full,dc=context,dc=server,dc=name?sAMAccountName?sub"

# Option 3: Implement LDAP caching
<IfModule mod_authnz_ldap_cache>
    AuthnzLDAPCache on
    AuthnzLDAPCacheEntries 1024
    AuthnzLDAPCacheTTL 300
</IfModule>

Remember to test configuration changes incrementally and monitor your error logs closely after each modification.

Yesterday, my Apache server suddenly stopped authenticating against our Active Directory server via LDAPS. The error logs showed:

auth_ldap authenticate: user foo authentication failed; URI /FrontPage 
[LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

What's particularly puzzling is that:

  • ldapsearch from command line works perfectly
  • SSH login using LDAP credentials works
  • The SSL handshake completes successfully
  • Only Apache's mod_authnz_ldap is affected

First suspect was certificate expiration. Even though creating new certs didn't help, let's verify the certificate chain:

openssl s_client -connect domain.server.ip:636 -showcerts

Looking at the Apache LDAP configuration:

AuthLDAPUrl ldaps://domain.server.ip/dc=full,dc=context,dc=server,dc=name?sAMAccountName?sub
AuthLDAPBindDN cn=ldapbinduser,cn=Users,dc=full,dc=context,dc=server,dc=name
AuthLDAPBindPassword password

Option 1: LDAP Connection Timeout
Add these directives to your Apache config:

LDAPConnectionTimeout 10
LDAPRetries 3
LDAPRetryDelay 5

Option 2: TLS Protocol Configuration
Force specific TLS versions in httpd.conf:

LDAPTrustedGlobalCert CA_BASE64 /path/to/ca.crt
LDAPVerifyServerCert off

Option 3: Alternative Bind Method
Try SASL authentication instead:

AuthLDAPBindMethod sasl
AuthLDAPRemoteSASLMechanism GSSAPI

Enable verbose logging in your Apache config:

LogLevel debug
LDAPLibraryDebug 7

This will show you the complete LDAP transaction sequence in error logs.

Verify network connectivity from Apache to LDAP:

tcpdump -i any port 636 -n -v
telnet domain.server.ip 636

Check if SELinux might be blocking the connection:

audit2allow -a
setsebool -P httpd_can_network_connect 1

As a temporary workaround, you might consider using mod_auth_sspi for Windows authentication:

LoadModule auth_sspi_module modules/mod_auth_sspi.so
<Location /secure>
    AuthType SSPI
    AuthName "SSPI Authentication"
    SSPIAuth On
    SSPIAuthoritative On
    require valid-user
</Location>