We recently upgraded a Netware 6.0 server running Apache 1.3.x to Netware
6.5 sp4a with Apache 2.0.54. We had been using Mod_NDS to provide
authentication for internal webpages. This worked fine under Apache 1.3.
After the upgrade and much reconfiguration we are not able to consistently
authenticate using Mod_AUTH_LDAP. Using DStrace we can see the
authentication work and the appropriate UID being returned, but the Apache
error log shows "failed to create path context" err: -632.

This almost always fails for users in a specific containers and almost
always work for users in other containers. Making a user admin equivalent
does not enable them to login. I even temporarily set the LDAP anonymous
user to admin equivalent with no change.

Apache does load sapi_apache2.c, mod_jk.c, util_ldap.c, mod_auth_ldap.c,
and mod_edir.c.

Here is the section of the httpd.conf file for the virtual host we are
having issues with.


ServerName eagleweb.ashland.edu
DocumentRoot VOL1:\eagleweb

# SOURCE OBJECT:
cn=eagleweb-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=Net Ware
Group,cn=Apache Group,o=ashlandu


Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all


# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu

Alias /facstaff "VOL1:/eagleweb/facstaff"

# SOURCE OBJECT:
cn=facstaff-Directory,cn=eagleweb.ashland.edu,cn=JASPER,cn=Net Ware
Group,cn=Apache Group,o=ashlandu


Options FollowSymLinks Indexes MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
require edir-user
AuthLDAPAuthoritative On
AuthLDAPURL ldap://jasper.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?
sub


# SOURCE OBJECT: cn=eagleweb.ashland.edu,cn=JASPER,cn=NetWare
Group,cn=Apache Group,o=ashlandu



Here are excerpt from the Apache error log showing both failed and
successful logins. We have replaced ipaddress and usernames, but they are
correct.


Log entry for user that fails

[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting faileduser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(534): Checking mod_eDir
cache for purgible entries
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65537 for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [error] [client xxx.xxx.xxx.xxx] failed to
create path context for
cn=faileduser.ou=FacStaff.ou=Users.ou=AU-Main.o=ASHLANDU on VOL1:. err:
-632 errno: 0, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:01 2005] [debug] mod_auth_ldap.c(702): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authorise: authorisation denied, referer:
http://eagleweb.ashland.edu/home-header.htm

Log entry for user that gains access

[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(337): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: using URL
ldap://servername.ashland.edu/OU=Users,OU=AU-Main,O=ASHLANDU?uid?sub,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_auth_ldap.c(411): [client
xxx.xxx.xxx.xxx] [10] auth_ldap authenticate: accepting successfuluser,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(534): Checking mod_eDir
cache for purgible entries
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(182): [client
xxx.xxx.xxx.xxx] MOD_eDIR user DN:
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(455): [client
xxx.xxx.xxx.xxx] Checking cache for entry
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(187): [client
xxx.xxx.xxx.xxx] server path root is VOL1:, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(198): [client
xxx.xxx.xxx.xxx] Created identity 65538 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU on server
servername, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(209): [client
xxx.xxx.xxx.xxx] Created path context 3 for
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU, referer:
http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(379): [client
xxx.xxx.xxx.xxx] Adding
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU to the cache,
referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] rdirutils.c(424): [client
xxx.xxx.xxx.xxx]
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU added to the
cache, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(240): [client
xxx.xxx.xxx.xxx] edir user
cn=successfuluser.ou=AcadTech.ou=Users.ou=AU-Main.o=ASHLANDU authorization
established, referer: http://eagleweb.ashland.edu/home-header.htm
[Tue Nov 29 14:02:08 2005] [debug] mod_edir.c(81): [client
xxx.xxx.xxx.xxx]
Clean up hit, setting setcwd2 to NULL, referer:
http://eagleweb.ashland.edu/home-header.htm

Here is the DSTrace log for the failed user:

(server xxx.xxx.xxx.xxx)(0x0019:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x0019:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=faileduser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending search result entry
"cn=faileduser,ou=FacStaff,ou=Users,ou=AU-Main,o=ASHLANDU" to connection
0x82144b60
(server xxx.xxx.xxx.xxx)(0x001a:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Bind
name:cn=faileduser,ou=FacStaff,ou=Users,ou=AU-Main,o=ASHLANDU, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001b:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
Checking for configuration changes

DSTrace log for successful user

(server xxx.xxx.xxx.xxx)(0x001c:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Treating simple bind with empty DN
and no password as anonymous
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Bind name:NULL, version:3,
authentication:simple
(server xxx.xxx.xxx.xxx)(0x001c:0x60) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) DoSearch on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Search request:
base: "OU=Users,OU=AU-Main,O=ASHLANDU"
scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectclass=*)(uid=successfuluser))"
attribute: "uid"
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending search result entry
"cn=successfuluser,ou=AcadTech,ou=Users,ou=AU-Main,o=ASHLANDU" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001d:0x63) Sending operation result 0:"":"" to
connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) DoBind on connection 0x82144b60
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Bind
name:cn=successfuluser,ou=AcadTech,ou=Users,ou=AU-Main,o=ASHLANDU,
version:3, authentication:simple
(server xxx.xxx.xxx.xxx)(0x001e:0x60) Sending operation result 0:"":"" to
connection 0x82144b60

Has anyone got this working? Do you see anything wrong with the conf
file?