Greetings,I understand that apache2, using the authnz_ldap module, prefers to maintain persistent connections to a given LDAP server. While this is contrary to the way LDAP is intended to be used (e.g: connections without the UNBIND operation), I am ok with this.Our LDAP servers themselves have no timeout, nor a timelimit, on operations. Doing a persistent bind against the LDAP server in question, (by hand) produces a connection that persists as long as necessary.Apache2, however, feels differently. When pointed directly at an LDAP server, after some time, we see this (and users begin complaining):[client 192.168.168.40] [18485] auth_ldap authenticate: user joe authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect error], referer: https://svn.example.com/Invariably restarting apache2 fixes the problem, but it always returns.HOWEVER, if we take LDAP StartTLS out of the equation, and we use something like stunnel4 (thereby telling apache2 to "not worry about using encryption while talking to LDAP"), the problem goes away and does not return. I'll point out that the LDAP server-side SSL certificates are legitimate, are not expired, and are used by other things that require certificates to be in-order.We are stumped.Our LDAP-related apache2 configuration (which generates no errors upon launch, nor configtest):## /etc/apache2/sites-available/svnLDAPSharedCacheSize 500000LDAPCacheEntries 1024LDAPCacheTTL 600LDAPOpCacheEntries 1024LDAPOpCacheTTL 600<VirtualHost *:80>ServerAdmin webmaster@xxxxxxxxxxxServerName svn.example.com
RewriteEngine onRewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]ErrorLog /var/log/apache2/error.logCustomLog /var/log/apache2/access.log combined</VirtualHost><VirtualHost *:443>ServerAdmin webmaster@xxxxxxxxxxxServerName svn.example.comDocumentRoot /var/wwwSSLEngine onSSLCertificateFile /etc/ssl/certs/wildcard.example.com.crtSSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.keySSLCACertificateFile /etc/ssl/certs/ca-example.certRewriteEngine onRewriteCond %{SERVER_NAME} !=svn.example.comRewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]ErrorLog /var/log/apache2/error.logCustomLog /var/log/apache2/access.log combined<Location /cache-info>SetHandler ldap-status</Location><Location /repo>DAV svnSVNPath /repo/svnAuthType BasicAuthName "Our Repository"AuthBasicProvider ldapAuthzLDAPAuthoritative offAuthLDAPBinddn uid=admin,cn=users,dc=example,dc=comAuthLDAPBindPassword passwordAuthLDAPURL ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*)) STARTTLSRequire valid-user</Location></VirtualHost>Modules loaded:alias.loadauth_basic.loadauthn_file.loadauthnz_ldap.loadauthz_default.loadauthz_groupfile.loadauthz_host.loadauthz_user.loadautoindex.loadcgi.loaddav.loaddav_svn.confdav_svn.loaddir.confdir.loadenv.loadldap.loadmime.loadnegotiation.loadrewrite.loadsetenvif.loadssl.loadstatus.loadWe would appreciate some insight into this - thank you.-GF