We have a server running Apache 2.4.9 64bit, on Win server 2008 R2. Mostly, this works fine, but there is a recurring problem with LDAP authentication to our active directory domain. LDAP authentication is done using an access control file with this sort of content: Authname "LDAP Test" Authtype basic AuthBasicProvider ldap LDAPReferrals Off AuthLDAPBindDN "[DN of our service account]" AuthLDAPBindPassword [password of service account] AuthLDAPURL ldap://[ourdomain]:389/OU=[some ou]?sAMAccountName?sub?(objectclass=User) Require valid-user Every so often (once a month, roughly), this will stop working, with the effect that users are prompted to enter their credentials again, (and again, and again) even if valid credentials were provided. Eventually they give up and get a 401 error. My understanding of how this works (when it works) is that the binddn and bind password allow apache to look up the context of the username provided by the user, and to then bind as that user using the password that the user provided. i.e. a working authentication is a two-stage process involving an initial bind as the service account followed by a bind as the user in question. I've done packet traces of the server in both a working and non-working state, and it appears that what is failing is the bind as the service account. i.e. every so often, binding as the service account stops working, and continues to not work until the server is restarted. It never gets as far as attempting to bind with the password the user provided, but doesn't count this as an internal server error, and returns a 401. Restarting the server fixes the problem, which makes it difficult to say that there's anything amiss with the access control files or the server configuration generally, or the service account. One possibility that occurred to me was a stray access control file somewhere with an incorrect password for the service account, that was causing the account to be locked out for bad password attempts, but the service account isn't locked while the problem occurs; restarting the server fixes it immediately; and the account has a bad password count of zero. I'm also unable to find any access control files weith invalid details. I've not spotted any pattern in the times when this has recurred - it's roughly once a month, but not that regular. Anyone any ideas or suggestions as to what might be causing the problem, or how to get more useful diagnostics the next time this happens? As a temporary measure, I've added a hosts file entry to the server such that [ourdomain] always resolves to a particular domain controller that I have reason to think works. But I have no reason to suspect any of our domain controllers as being at fault, and have done test LDAP lookups against all of them to test access. Mike -- Mike Sandells The University of Liverpool - Computing Services Department Email: mikejs@xxxxxxxxx (Preferred) - Phone: 0151 794 4437 http://www.liv.ac.uk/csd --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|