12 April,16 at 11:10 AM
Applies to: Centrify DirectControl 5.0.x and Apache HTTP SSO module 4.4.3.
Problem:
After installing the Centrify DirectControl 5.0.x agent and Centrify Apache module on a Linux box, the default Apache page can not be accessed via AD credentials.
Here is an example:
1. In /etc/pam.d, the "login" file is copied to "cdcapache"
2. In DirectManage (console), there is a Right: PAM Access > cdcapache
3. In DirectManage, there is a Role: WEB-ONLY > contains an AD group called "Non-Domain Users"
4. In ADUC, there is an AD group containing a few users called "Non-Domain Users".
5. In Apache config file, the group and users are set to only be able to login from one particular server ("rover" in this instance).
6. In httpd.conf, the following lines are configured:
Include /usr/share/centrifydc/apache/samples/conf/centrify22.conf
<Directory /var/www/html/CentrifySafe>
AllowOverride All
AuthType CENTRIFYDC
AuthName WebNative
EnableBasicAuth true
EnablePamAuth true
PamService /etc/pam.d/cdcapache
EnableNtlmAuth false
EnableKerberosAuth false
EnableNtlmReprompt false
IdentityType custom:_unixName
Require valid-user
Options ExecCGI
</Directory>
Here is error message:
/usr/share/centrifydc/apache/bin/checkpwd: symbol lookup error:
/usr/share/centrifydc/apache/bin/checkpwd: undefined symbol:_ZN4cims5PropsEb
[Mon Dec 05 15:19:32 2011] [error] [client 127.0.1.1] Failed to validate
password of user x-testone via PAM service /etc/pam.d/cdcapache for URI
/CentrifySafe. Error: Unspecified error, referer: http://127.0.1.1
Cause:
Centrify's checkpwd ( /usr/share/centrifydc/apache/bin/checkpwd ) failed to run because it could not load all the libraries due to a library mismatch issue.
Workaround:
Downgrade the Centrify DirectControl Agent to version 4.4.4 or 4.4.3.
Resolution:
There is a code fix in Centrify Apache HTTP SSO module 4.4.4-568 and above.