Troubleshooting Apache2 LDAP Authentication with Active Directory: Invalid Credentials and Bind Failures


2 views

When configuring Apache2 with authnz_ldap_module against Active Directory, getting authentication working can be tricky. The error messages often don't tell the full story. Let's dissect a common scenario:

# Sample error from Apache logs
[debug] mod_authnz_ldap.c(379): [client 192.168.1.100] [12391] auth_ldap authenticate: using URL ldap://server1.company.tld:3268
[info] [client 192.168.1.100] [12391] auth_ldap authenticate: user testuser authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Invalid credentials]

The core issue typically lies in the LDAP bind operation. Active Directory requires proper binding before any search operations. The initial configuration might look like:

AuthBasicProvider ldap
AuthType Basic
AuthName "AD Auth"
AuthLDAPURL "ldap://dc1.company.tld:3268/dc=company,dc=tld?sAMAccountName?sub"
AuthLDAPBindDN "CN=binduser,OU=Service Accounts,DC=company,DC=tld"
AuthLDAPBindPassword "password123"
Require valid-user

But this often fails with "Invalid credentials" even when credentials are correct.

First verify connectivity with ldapsearch. The working syntax for AD is:

ldapsearch -x -H ldap://dc1.company.tld:389 \
-D "CN=binduser,OU=Service Accounts,DC=company,DC=tld" \
-W -b "DC=company,DC=tld" \
-s sub "(sAMAccountName=testuser)"

Key parameters:

  • -x: Simple authentication
  • -H: LDAP server URI
  • -D: Bind DN (service account)
  • -W: Prompt for password

Here are frequent issues in Apache LDAP config:

# Wrong (using uid instead of CN)
AuthLDAPBindDN "uid=binduser,dc=company,dc=tld"

# Correct (AD typically uses CN)
AuthLDAPBindDN "CN=binduser,OU=Service Accounts,DC=company,DC=tld"

# Wrong port (3268 vs 389)
AuthLDAPURL "ldap://dc1.company.tld:3268/..."

# Might need global catalog port (3268) for forest-wide searches

A verified working configuration:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

<Location /secure>
    AuthType Basic
    AuthName "AD Authentication"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://dc1.company.tld:389/DC=company,DC=tld?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=svc-apache,OU=Service Accounts,DC=company,DC=tld"
    AuthLDAPBindPassword "securePassword123"
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN on
    Require valid-user
    # Optional group restriction
    # Require ldap-group CN=WebUsers,OU=Groups,DC=company,DC=tld
</Location>

When debugging:

  1. Enable verbose LDAP logging in Apache: LogLevel debug
  2. Check AD account lockout policies
  3. Verify service account permissions
  4. Try connecting to port 389 first, then 3268
  5. Test with simple usernames before implementing group restrictions

Remember that AD is particular about DN formatting. The Microsoft ADSI Edit tool can help you discover the exact DN format for your environment.

When configuring Apache2 (version 2.2.16-6+squeeze10) with authnz_ldap_module for Active Directory authentication, many developers encounter cryptic "Invalid credentials" errors despite entering correct passwords. Your configuration attempts likely resemble:

AuthzLDAPAuthoritative off
AuthBasicProvider ldap
AuthType Basic
AuthName "Active Directory"
AuthLDAPURL "ldap://server1.my.company.tld:3268 server2.my.company.tld:3268/dc=my,dc=company,dc=tld?sAMAccountName?sub"
AuthLDAPBindDN "uid=my_user,dc=my,dc=company,dc=tld"
AuthLDAPBindPassword "mypassword"
Require valid-user

The error logs typically show:

[debug] mod_authnz_ldap.c(379): auth_ldap authenticate: using URL ldap://...
[info] auth_ldap authenticate: user my_user authentication failed [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[error] user my_user: authentication failure for "/": Password Mismatch

The root issue often lies in incorrect binding parameters. For AD authentication, consider these key aspects:

  • Global Catalog port (3268) vs standard LDAP port (389)
  • Proper DN formatting for service accounts
  • Secure connection requirements

Here's a verified working configuration for AD authentication:

# Apache 2.2 LDAP AD Configuration
AuthLDAPURL "ldap://dc1.company.tld:3268/DC=company,DC=tld?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ServiceAccount,OU=ServiceAccounts,DC=company,DC=tld"
AuthLDAPBindPassword "ServiceAccountPassword"
AuthLDAPSubgroupClass "group"
AuthLDAPGroupAttribute "member"
AuthLDAPGroupAttributeIsDN on
AuthType Basic
AuthName "AD Authentication"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
Require valid-user

Before debugging Apache, verify LDAP connectivity using ldapsearch:

ldapsearch -x -H ldap://server1.company.tld:3268 \
-D "CN=ServiceAccount,OU=ServiceAccounts,DC=company,DC=tld" \
-W -b "DC=company,DC=tld" \
"(sAMAccountName=testuser)"
  • Incorrect service account DN format (use CN instead of uid)
  • Missing Global Catalog port specification
  • SSL/TLS requirements not met
  • Group membership verification issues

For production environments, consider adding:

# Connection pooling and timeouts
AuthLDAPMaxGroupMembershipDepth 5
AuthLDAPConnectionPoolTTL 600
AuthLDAPConnectionTimeout 10

# SSL configuration
LDAPTrustedGlobalCert CA_BASE64 /path/to/ca.crt
AuthLDAPStartTLS on