httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40878] New: - For LDAP authtentication against Windows Active Directory ldap_simple_bind_s fails after a period
Date Thu, 02 Nov 2006 17:08:36 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40878>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40878

           Summary: For LDAP authtentication against Windows Active
                    Directory ldap_simple_bind_s fails after a period
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Keywords: PatchAvailable
          Severity: major
          Priority: P2
         Component: mod_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rbaily@servicebench.com


This is really more an enhance,ent request then a bug.  Here is the situation:

We set up Apache 2.2.3 on a Linux server and set up Subversion 1.4.0 to be
handled by it.  We set up authentication to use LDAP to authenticate users.  We
are authenticating to a Windows 2003 server through its LDAP service (using
Global Catalog).

Here is the basic configuration.  I mangled some of the entries here as to not
expose anything.

<Location />
    AuthName "SVN"
    AuthType Basic
    AuthBasicProvider file ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://machinename:3268/dc=Company,dc=com?sAMAccountName?sub
    AuthLDAPBindDN "user@domain.com"
    AuthLDAPBindPassword "xxxxx"
    AuthUserFile /var/subversion/conf/svn-auth-users
    Require valid-user
</Location>

So what happens is that generally it works fine.  But then if a user is inactive
for a while (appears to be between 1 and 2 hours) and then tries to perform
another operation they get a 500 internal error and a message similar to this is
logged in the log file.

[Wed Nov 01 11:50:40 2006] [warn] [client 10.1.2.47] [3994] auth_ldap
authenticate: user rbaily authentication failed; URI
/svn/projects/candyland/trunk [LDAP: ldap_simple_bind_s() failed][Can't contact
LDAP server]

If they attempt to rety the operation then usually between 2 to 5 times it comes
back with no problem.  So this was becoming a major headache and causing our
developers some pain in getting code checked in or getting updates.  Also it was
causing some problems with a continuous build server.  I am not certain about
the exact time period or the inactivity but indications pointed to this.

So I looked at the code in modules/ldap/util_ldap.c and changed it slightly. 
There is a section of code that attempts to do ldap_simple_bind_s and repeats 10
times if it is getting a LDAP_SERVER_DOWN code.  What I noticed about this is
that the connection is not truly being reset everytime.  It basically starts
with the current state and tries to bind again.  So I moved out the code that
was in the upper part of the uldap_connection_open into a function called
uldap_connection_init.  Then in the failures loop if we get halfway (5 tries)
then I changed it to unbind and then init it before trying to bind again.

This has worked well for us as we are no longer getting this.  So I realize this
may be a Windows only issue and people may not be too keen on corecting it but
it seems like it could happen on other types of LDAP servers as well.  I also
think the design is a little better having the init stuff put out in a separate
function rather than in the open function.  Also I changed some of the other
places that had multiple statements for the unbind to call
uldap_connection_unbind which handles it.

I think ideally it would be better if we could configure the 10 and 5 numbers
through the configuration file but I wasn't really sure how to handle that.

I'll attach a patch to this shortly.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message