Getting LDAP initialization failed when using mod_ldap/mod_authnz_ldap with Apache httpd

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Red Hat Software Collections (RHSCL)
  • Red Hat JBoss Web Server (JWS)
  • Red Hat JBoss Core Services (JBCS)
  • Apache httpd (rpm install)

Issue

  • When starting Apache, this appears in the error_log:

        [info] [client 127.0.0.1] [2519] auth_ldap authenticate: user test authentication failed; URI /ldap [LDAP: ldap initialization failed][Unknown (private extension) error]
    

Resolution

  • Install the LDAP drivers for linux via the following yum command and restart Apache httpd:

    $ yum install apr-util-ldap
    
  • Note that if an alternative distribution (RHSCL or JBCS) is being used, the package will have a different name. For example for JBCS:

    $ yum install jbcs-httpd24-apr-util-ldap
    

Root Cause

  • The LDAP drivers libraries are not installed on the OS.
  • Apache httpd zip installation packages do not use the OS libraries, the libraries are included in the packages so these installations are not affected by this issue. Refer to LDAP authentication failing using httpd zip installation if seeing similar symptoms on a zip installation.

Diagnostic Steps

  • The httpd error log contains the following messages:

    [Fri Jul 21 13:16:14.530975 2017] [authz_core:debug] [pid 29569] mod_authz_core.c(809): [client 127.0.0.1:51234] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
    [Fri Jul 21 13:16:14.530999 2017] [authz_core:debug] [pid 29569] mod_authz_core.c(809): [client 127.0.0.1:51234] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
    [Fri Jul 21 13:16:14.531026 2017] [authnz_ldap:debug] [pid 29569] mod_authnz_ldap.c(516): [client 127.0.0.1:51234] AH01691: auth_ldap authenticate: using URL ldap://test.example.com/dc=example,dc=com?uid
    [Fri Jul 21 13:16:14.531143 2017] [authnz_ldap:debug] [pid 29569] mod_authnz_ldap.c(554): [client 127.0.0.1:51234] AH01694: auth_ldap authenticate: user USER authentication failed; URI /status [LDAP: ldap initialization failed][Unknown (private extension) error] (not authoritative)
    
  • Running the following command yields no results:

    $ yum list installed | grep apr-util-ldap
    
  • Check if apr_ldap file is loaded

    $ lsof -p <HTTPD_PID> | grep apr_ldap
    

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.