The persistent LDAP connection between Apache/mod_authnz_ldap and OpenLDAP is not an LDAP nor OpenLDAP error. Debug logging has confirmed this. It appears that Apache(v2.2)/mod_authnz_ldap establishes and maintains a persistent network connection to the designated LDAP server. Documentation for mod_ldap mentions "connection pooling" and "results caching". The situation has been verified by the following: 1) start Apache with AuthLDAP directives; start web application;do LDAP authentication; network connection to LDAP server is established; terminate web browser; LDAP connection is still ESTABLISHED and appears to "never" timeout or close; during this time the web browser maintains a "read/transmitting" state stop Apache (httpd) or the LDAP server and the LDAP connection is dropped 2) start Apache withOUT AuthLDAP; start web application; NO initial LDAP authentication; no network connection to the LDAP server; perform a function within the web application that at that point invokes LDAP authentication via PHP; network connection ESTABLISHED to the LDAP server; LDAP authentication completes; network connection to the LDAP server is closed; browser status is "normal". On 05/03/2016 06:56, Luca Toscano wrote: > > > 2016-05-03 1:22 GMT+02:00 J.D. <randomnoise058@xxxxxxxxx > <mailto:randomnoise058@xxxxxxxxx>>: > > Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips > > Using the following sample Directory block, the Apache LDAP authentication works > just fine, but when the web page is displayed - the activity spinner is spinning > and the status bar shows "Read <hostname>". Without the Apache LDAP > authentication, neither of the above symptoms appear/occur. It is almost like > something doesn't complete/finish, but I cannot determine what causes this. > There are no messages in the HTTPD error logs relative to this situation. > > > <Directory "/var/www/html/directory/"> > SSLRequireSSL > AllowOverride None > Allow from 127.0.0.1 > Allow from localhost > Allow from 192.168.56.0/24 <http://192.168.56.0/24> > # uncomment following line to force all frontend access > # to require userid/password authentication via LDAP > include conf/WebFrontendApacheAuthentication.conf > </Directory> > > > WebFrontendApacheAuthentication.conf > =============================== > AuthType basic > AuthName "realm" > AuthBasicProvider ldap > AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*) > Require ldap-group cn=WebAccess,dc=realm > =============================== > > > Not an expert about LDAP auth with httpd but I would try to increase the > LogLevel (https://httpd.apache.org/docs/2.2/mod/core.html#loglevel) to get more > info from the logs about what mod_auth_ldap is doing. > > Hope that helps! > > Luca --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|