Applies to: Centrify DirectControl 5.0.x and Apache HTTP SSO module 4.4.3.

Problem:

After installing the Centrify DirectControl 5.0.x agent and Centrify Apache module on a Linux box, the default Apache page can not be accessed via AD credentials. 

Here is an example:

1. In /etc/pam.d, the "login" file is copied to "cdcapache"
2. In DirectManage (console), there is a Right: PAM Access > cdcapache
3. In DirectManage, there is a Role: WEB-ONLY > contains an AD group called "Non-Domain Users"
4. In ADUC, there is an AD group containing a few users called "Non-Domain Users".
5. In Apache config file, the group and users are set to only be able to login from one particular server ("rover" in this instance).
6.  In httpd.conf, the following lines are configured:
Include /usr/share/centrifydc/apache/samples/conf/centrify22.conf

<Directory /var/www/html/CentrifySafe>

AllowOverride All

AuthType CENTRIFYDC

AuthName WebNative

EnableBasicAuth true

EnablePamAuth true

PamService /etc/pam.d/cdcapache

EnableNtlmAuth false

EnableKerberosAuth false

EnableNtlmReprompt false

IdentityType custom:_unixName

Require valid-user

Options ExecCGI

</Directory>

Here is error message:

/usr/share/centrifydc/apache/bin/checkpwd: symbol lookup error:

/usr/share/centrifydc/apache/bin/checkpwd: undefined symbol:_ZN4cims5PropsEb

[Mon Dec 05 15:19:32 2011] [error] [client 127.0.1.1] Failed to validate

password of user x-testone via PAM service /etc/pam.d/cdcapache for URI

/CentrifySafe. Error: Unspecified error, referer: http://127.0.1.1

 

Cause:

Centrify's checkpwd ( /usr/share/centrifydc/apache/bin/checkpwd ) failed to run because it could not load all the libraries due to a library mismatch issue. 


Workaround:

Downgrade the Centrify DirectControl Agent to version 4.4.4 or 4.4.3. 

 

Resolution:

There is a code fix in Centrify Apache HTTP SSO module 4.4.4-568 and above.