Can't contact LDAP server

"Helmut Schneider" <jumper99@xxxxxx> · Tue, 23 Jan 2018 16:13:41 +0100

Hello all,

I'm doing SSO using auth_kerb_module with Active Directory and 

authnz_ldap_module as fallback (Apache 2.4, FreeBSD 11.1, Windows Server 

2012R2):

PassEnv MACHINE_DNSNAME
PassEnv MACHINE_DOMAINNAME_UPPER
<IfModule auth_kerb_module>
       LoadFile /usr/lib/libgssapi_krb5.so.10
       LoadFile /usr/lib/libgssapi_spnego.so.10
       AuthType Kerberos
       AuthBasicAuthoritative off
       KrbAuthRealm ${MACHINE_DOMAINNAME_UPPER}
       KrbServiceName HTTP/${MACHINE_DNSNAME}@${MACHINE_DOMAINNAME_UPPER}
       Krb5Keytab /var/www/passwords/auth_kerb.keytab
       KrbMethodNegotiate On
       KrbMethodK5Passwd Off
       KrbSaveCredentials On
       KrbAuthoritative On
       KrbLocalUserMapping On
</IfModule>
<IfModule authnz_ldap_module>
       <IfModule !auth_kerb_module>
               AuthType Basic
               AuthBasicAuthoritative off
               <IfVersion < 2.3>
                       AuthzLDAPAuthoritative on
               </IfVersion>
               AuthBasicProvider ldap
       </IfModule>
       <IfModule auth_kerb_module>
               KrbAuthoritative Off
               KrbMethodK5Passwd On
       </IfModule>

       AuthLDAPURL 

ldaps://charlieroot.de/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)

       AuthLDAPBindDN "someuser"
       AuthLDAPBindPassword "somepass"
       <IfVersion < 2.3>
               AuthzLDAPAuthoritative on
       </IfVersion>
       AuthLDAPRemoteUserIsDN off
</IfModule>

On a non-domain member this works fine initially but after a certain time I 

get an error that the LDAP server cannot be contacted anymore (it is 

definitely available):

[helmut@BSDHelmut ~]$ sudo tail -100f /var/www/logs/error_log | grep ldap

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 

34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626: 

authorization result of Require ldap-group 

CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 

authenticated user yet), referer: https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685344768] mod_authnz_ldap.c(518): [client 192.168.124.200:58889] AH01691: 

auth_ldap authenticate: using URL 

ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*), 

referer: https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685344768] mod_authnz_ldap.c(615): [client 192.168.124.200:58889] AH01697: 

auth_ldap authenticate: accepting helmut, referer: 

https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685344768] mod_authnz_ldap.c(915): [client 192.168.124.200:58889] AH01713: 

auth_ldap authorize: require group: testing for group membership in 

"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de", referer: 

https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685344768] mod_authnz_ldap.c(922): [client 192.168.124.200:58889] AH01714: 

auth_ldap authorize: require group: testing for member: CN=Helmut 

Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de 

(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de), referer: 

https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685344768] mod_authnz_ldap.c(931): [client 192.168.124.200:58889] AH01715: 

auth_ldap authorize: require group: authorization successful (attribute 

member) [Comparison true (adding to cache)][6 - Compare True], referer: 

https://nagios.mydomain.local/side.php

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 

34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626: 

authorization result of Require ldap-group 

CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted, referer: 

https://nagios.mydomain.local/side.php

[...]

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 

34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626: 

authorization result of Require ldap-group 

CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 

authenticated user yet)

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685034752] mod_authnz_ldap.c(518): [client 192.168.124.200:59135] AH01691: 

auth_ldap authenticate: using URL 

ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685034752] mod_authnz_ldap.c(615): [client 192.168.124.200:59135] AH01697: 

auth_ldap authenticate: accepting helmut

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685034752] mod_authnz_ldap.c(915): [client 192.168.124.200:59135] AH01713: 

auth_ldap authorize: require group: testing for group membership in 

"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de"

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685034752] mod_authnz_ldap.c(922): [client 192.168.124.200:59135] AH01714: 

auth_ldap authorize: require group: testing for member: CN=Helmut 

Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de 

(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de)

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685034752] mod_authnz_ldap.c(931): [client 192.168.124.200:59135] AH01715: 

auth_ldap authorize: require group: authorization successful (attribute 

member) [Comparison true (cached)][6 - Compare True]

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 

34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626: 

authorization result of Require ldap-group 

CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted

Jan 23 15:38:21 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 

34685027072] mod_authz_core.c(806): [client 192.168.124.200:59146] AH01626: 

authorization result of Require ldap-group 

CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 

authenticated user yet)

Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 

34685027072] mod_authnz_ldap.c(518): [client 192.168.124.200:59146] AH01691: 

auth_ldap authenticate: using URL 

ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)

Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:info] [pid 9091:tid 

34685027072] [client 192.168.124.200:59146] AH01695: auth_ldap authenticate: 

user helmut authentication failed; URI /nagios/cgi-bin/status.cgi [LDAP: 

ldap_simple_bind() failed][Can't contact LDAP server]

^C
[helmut@BSDHelmut ~]$

Restarting Apache or waiting an hour or so fixes this.

Any ideas?

Thank you! 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx