|
Hi chaps, I’m running a Ubuntu Apache server (apache version 2.2.8)
which serves up only SVN and TRAC sites. All the SVN and TRAC repos use LDAP to
authenticate, and the LDAP server is a Windows Active Directory server on the
same network. We are seeing a problem with the server giving end users an “internal
error” page at random when viewing trac sites or checking out SVN files.
If you hit F5 a few times, for between 1 and 10’ish seconds, the pages
start being served up again. This isn’t awful in a browser, but for
people using SVN via a piece of client software, which may not have an F5
alternative, it’s bad as they just get an error. When this occurs the apache error.log shows very little
other than “Can’t contact ldap server”. The debug listing
from the error.log is below. **************************** 139874420-[Mon Jan 19 18:16:56 2009] [info] Initial (No.1)
HTTPS request received for child 4 (server dev.company.com:443) 139874531-[Mon Jan 19 18:16:56 2009] [debug]
mod_authnz_ldap.c(373): [client 10.1.37.13] [21455] auth_ldap authenticate:
using URL ldap://10.1.37.250:389/OU=Users,OU=Company LLP,DC=company,DC=local?sAMAccountName?sub?(objectClass=*),
referer: https://dev.company.com/trac/technical/report 139874804:[Mon Jan 19 18:16:56 2009] [warn] [client
10.1.37.13] [21455] auth_ldap authenticate: user john.blogs authentication
failed; URI /trac/technical/newticket [LDAP: ldap_simple_bind_s() failed][Can't
contact LDAP server], referer: https://dev.company.com/trac/technical/report 139875080-[Mon Jan 19 18:16:56 2009] [debug]
ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished
successfully 139875196-[Mon Jan 19 18:16:56 2009] [info] [client
10.1.37.13] Connection closed to child 4 with standard shutdown (server dev.company.com:443) 139875329-[Mon Jan 19 18:16:56 2009] [info] [client
10.1.37.13] Connection to child 3 established (server dev.company.com:443) **************************** When this happens, you *can* happily do an
ldap-search from the terminal and get valid results, and other boxes which
authenticate against the AD server all work fine during this time. It’s just
this one box. The LDAP params we are using in the apache conf is; ***************************** <Location /> AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPBindDN "CN=LDAP USER,CN=Users,DC=company,DC=local" AuthLDAPBindPassword PASSWORD AuthLDAPURL "ldap://10.1.37.250:389/OU=Users,OU=Company
LLP,DC=company,DC=local?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPGroupAttributeIsDN on </Location> ***************************** I’ve changed a few of the LDAP cacheing entries in
order to rule out some kind of connection-limit issue, but that hasnt helped a
bit. The LDAP config we are using now in apache2.conf is this; ***************************** LDAPSharedCacheSize 200000 LDAPCacheEntries 2024 LDAPCacheTTL 3600 LDAPOpCacheEntries 2024 LDAPOpCacheTTL 600 LDAPConnectionTimeout 60 LDAPVerifyServerCert Off <Location /ldap/cache-info>
SetHandler ldap-status </Location> *************************** There’s a few bugs on the Ubuntu site which relate
mainly to the version of libgnutls13 (https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/306897).
According to the results of “aptitude search libgnutls13” I’m
already running that – that is to say that the results of that command
show “i libgnutls13” which I take to mean that
libgnutls13 is installed. Also, we arent using SSL or TLS for the LDAP
authentication between the ubuntu box and the LDAP server so I’m not sure
it applies. Any idea how I can find out more about what’s
happening or even better how I can resolve the issue? We’ve been at this
about a week now, every day for 8 hours or more and could do with any advice
you can give. Olly -- G2 Support Online Backups Email: oliver.marshall@xxxxxxxxxxxxx |
|