Using mod_authnz_ldap with the Okta LDAP interface

We have Apache hosting a subversion server, and we’d like to use the Okta LDAP interface to authenticate our employees. However, with the server configured in this way we find operations on this repo will intermittently fail with a 500 error in the browser, or (when using the svn command line client) “svn: E175002: Unexpected server error 500 ‘Internal Server Error’ on ‘/path/to/file’”.

[edit] The 500 errors are caused by intermittent LDAP “server down” result codes from the Okta LDAP Interface, which doesn’t seem right (shouldn’t really be down?). Details follow.

We’re using mod_authnz_ldap. One of our subversion repos named “/foo” is configured like this:

<Location /foo>
    DAV svn
    AuthType Basic
    AuthBasicProvider ldap
    AuthName foo_repo
    
    AuthLDAPBindDN "${BindDN}"
    AuthLDAPBindPassword "${BindPassword}"
    
    SVNPath /repo/svn/foo
     
    AuthLDAPURL "ldaps://mycompany.ldap.okta.com:636/ou=users,dc=mycompany,dc=okta,dc=com?shortName?one?(objectClass=inetOrgPerson)"
    
    # Ideally we require by ldap-group, but that leads to another issue we'll mention separately
    Require valid-user 
</Location>

The effect here should be that any user who authenticates with their Okta credentials is authorized to access this repo. The 500 errors I mentioned earlier seem to correspond to these errors in the Apache logs:

[Wed Jan 06 05:52:33.518169 2021] [authnz_ldap:info] [pid 18813:tid 139913282397952] [client ###.###.###.###:#####] AH01695: auth_ldap authenticate: user neilo authentication failed; URI /path/to/file [LDAP: ldap_simple_bind() failed][Unknown error]

and with more verbose logging enabled in Apache we see this:

res_errno: 81, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_err2string
[Wed Jan 06 20:13:20.298287 2021] [authnz_ldap:info] [pid 6082:tid 140716382566144] [client ###.###.###.###:#####] AH01695: auth_ldap authenticate: user neilo authentication failed; URI /path/to/file [LDAP: ldap_simple_bind() failed][Unknown error]

I believe that “res_errno: 81” is the LDAP response code LDAP_SERVER_DOWN. . Repeating the same operation (e.g. reload the page in the browser) often succeeds.

So the problem we have is that these errors cause the svn client to abort, but we can’t see a reason for them. This seems like a simple use case, any suggestions how to debug further and resolve?

Hello,
This doesn’t seem to be an issue with Okta’s ldap agent used to integrate Okta with ldap as an identity provider, but rather a question on integrating apached with ldap. Is that correct?

That’s correct, we’re trying to integrate a legacy Apache site with the Okta LDAP Interface which seems to be what’s generating these “server down” response codes. Not running an Okta LDAP Agent nor are we (not in this case) running our own LDAP server.

Hello Neilo,
The dev forum mostly deals with developer SDK/API integration question/issues.

I recommend either opening a case with Okta support or posting on the community discussion forum where they would have better expertise with the Okta LDAP Interface.

Thanks Erik, and already done, we opened a support ticket earlier this morning.