Re: authnz_ldap LDAP bind + Error 500

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I expect a response to this. I submitted this over a month ago.. Get with the program and answer.



On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit <gropefruit@xxxxxxxxx> wrote:
Greetings,

I understand that apache2, using the authnz_ldap module, prefers to maintain persistent connections to a given LDAP server.  While this is contrary to the way LDAP is intended to be used (e.g: connections without the UNBIND operation), I am ok with this.

Our LDAP servers themselves have no timeout, nor a timelimit, on operations.  Doing a persistent bind against the LDAP server in question, (by hand) produces a connection that persists as long as necessary.

Apache2, however, feels differently. When pointed directly at an LDAP server, after some time, we see this (and users begin complaining):

[client 192.168.168.40] [18485] auth_ldap authenticate: user joe authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect error], referer: https://svn.example.com/

Invariably restarting apache2 fixes the problem, but it always returns.

HOWEVER, if we take LDAP StartTLS out of the equation, and we use something like stunnel4 (thereby telling apache2 to "not worry about using encryption while talking to LDAP"), the problem goes away and does not return.  I'll point out that the LDAP server-side SSL certificates are legitimate, are not expired, and are used by other things that require certificates to be in-order.

We are stumped.



Our LDAP-related apache2 configuration (which generates no errors upon launch, nor configtest):

## /etc/apache2/sites-available/svn

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<VirtualHost *:80>

   ServerAdmin webmaster@xxxxxxxxxxx
   ServerName svn.example.com

   RewriteEngine on
   RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

   ErrorLog /var/log/apache2/error.log
   CustomLog /var/log/apache2/access.log combined

</VirtualHost>


<VirtualHost *:443>

   ServerAdmin webmaster@xxxxxxxxxxx
   ServerName svn.example.com

   DocumentRoot /var/www

   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
   SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
   SSLCACertificateFile         /etc/ssl/certs/ca-example.cert
   RewriteEngine on
   RewriteCond %{SERVER_NAME} !=svn.example.com
   RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

   ErrorLog /var/log/apache2/error.log
   CustomLog /var/log/apache2/access.log combined

 <Location /cache-info>
     SetHandler ldap-status
 </Location>

 <Location /repo>
     DAV svn
     SVNPath /repo/svn
     AuthType Basic
     AuthName "Our Repository"
     AuthBasicProvider ldap
     AuthzLDAPAuthoritative off
     AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
     AuthLDAPBindPassword password
     AuthLDAPURL ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*)) STARTTLS
     Require valid-user
 </Location>

</VirtualHost>

Modules loaded:

alias.load
auth_basic.load
authn_file.load
authnz_ldap.load
authz_default.load
authz_groupfile.load
authz_host.load
authz_user.load
autoindex.load
cgi.load
dav.load
dav_svn.conf
dav_svn.load
dir.conf
dir.load
env.load
ldap.load
mime.load
negotiation.load
rewrite.load
setenvif.load
ssl.load
status.load

We would appreciate some insight into this - thank you.

-GF

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux