I've run into another quirk during my 2.5 upgrade process. We use the Apache ldap authnz module with a configuration such as:

AuthLDAPURL ldaps://ldap.cpp.edu:636/DC=cpp,DC=edu?uid Require ldap-group uid=unxadmin,ou=group,dc=cpp,dc=edu

This stopped working when accessing a server updated to 2.5. On the 2.4 server, the Apache logs look like:

[Wed Nov 10 15:07:52.056237 2021] [authnz_ldap:debug] [pid 29887] mod_authnz_ldap.c(926): [client 10.104.223.117:51050] AH01714: auth_ldap authorize: require group: testing for member: uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu) [Wed Nov 10 15:07:52.056264 2021] [authnz_ldap:debug] [pid 29887] mod_authnz_ldap.c(935): [client 10.104.223.117:51050] AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (cached)][6 - Compare True]

and the slapd logs look like:

Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member" Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 RESULT tag=111 err=6 text= Nov 10 15:08:42 ldap-01 slapd[1233]: conn=224154 fd=138 closed (connection lost)

whereas on the 2.5 server, the Apache logs look like:

[Wed Nov 10 15:03:52.375004 2021] [authnz_ldap:debug] [pid 29088] mod_authnz_ldap.c(926): [client 10.104.223.117:51022] AH01714: auth_ldap authorize: require group: testing for member: uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu) [Wed Nov 10 15:03:52.375887 2021] [authnz_ldap:debug] [pid 29088] mod_authnz_ldap.c(945): [client 10.104.223.117:51022] AH01719: auth_ldap authorize: require group "uid=unxadmin,ou=group,dc=cpp,dc=edu": didn't match with attr member [Comparison false (adding to cache)][5 - Compare False]

and the slapd logs look like:

Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member" Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 RESULT tag=111 err=5 qtime=0.000011 etime=0.000139 text=

If I understand correctly, Apache is making a compare call to check to see if my DN (uid=henson,ou=user,dc=cpp,dc=edu) exists as a value of the member attribute in the group uid=unxadmin,ou=group,dc=cpp,dc=edu. It certainly does, on both the server running 2.4 and 2.5:

dn: uid=unxadmin,ou=group,dc=cpp,dc=edu objectClass: groupOfNames objectClass: cppGroup objectClass: posixGroup uid: unxadmin cn: Unix Administrators gidNumber: 17730 member: member: uid=gkuri,ou=user,dc=cpp,dc=edu member: uid=henson,ou=user,dc=cpp,dc=edu memberUid: gkuri memberUid: henson

Any thoughts on why this is behaving differently? The configuration should be pretty much identical, modulo required path changes and updating the memberOf handling.

I was able to work around it by sitting a couple of additional parameters:

AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off

This now compares just my uid (henson) to the group memberUid attribute:

Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="memberUid" Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 RESULT tag=111 err=6 qtime=0.000016 etime=0.000108 text=

Apparently "err=6" is good and "err=5" is not :)? I was able to replicate this difference in behavior using the CLI tools:

# ldapcompare -x -H ldaps://ldap-01.ldap.cpp.edu/ uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu TRUE

# ldapcompare -x -H ldaps://ldap-03.ldap.cpp.edu/ uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu FALSE

ldapsearch confirms that attribute exists for that group in both locations:

ldapsearch -x -H ldaps://ldap-01.ldap.cpp.edu/ member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin # unxadmin, group, cpp.edu dn: uid=unxadmin,ou=group,dc=cpp,dc=edu

# ldapsearch -x -H ldaps://ldap-03.ldap.cpp.edu/ member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin # unxadmin, group, cpp.edu dn: uid=unxadmin,ou=group,dc=cpp,dc=edu

Help :)? Thanks much…