DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40878>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40878
Summary: For LDAP authtentication against Windows Active
Directory ldap_simple_bind_s fails after a period
Product: Apache httpd-2
Version: 2.2.3
Platform: Other
OS/Version: Linux
Status: NEW
Keywords: PatchAvailable
Severity: major
Priority: P2
Component: mod_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: rbaily@servicebench.com
This is really more an enhance,ent request then a bug. Here is the situation:
We set up Apache 2.2.3 on a Linux server and set up Subversion 1.4.0 to be
handled by it. We set up authentication to use LDAP to authenticate users. We
are authenticating to a Windows 2003 server through its LDAP service (using
Global Catalog).
Here is the basic configuration. I mangled some of the entries here as to not
expose anything.
<Location />
AuthName "SVN"
AuthType Basic
AuthBasicProvider file ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://machinename:3268/dc=Company,dc=com?sAMAccountName?sub
AuthLDAPBindDN "user@domain.com"
AuthLDAPBindPassword "xxxxx"
AuthUserFile /var/subversion/conf/svn-auth-users
Require valid-user
</Location>
So what happens is that generally it works fine. But then if a user is inactive
for a while (appears to be between 1 and 2 hours) and then tries to perform
another operation they get a 500 internal error and a message similar to this is
logged in the log file.
[Wed Nov 01 11:50:40 2006] [warn] [client 10.1.2.47] [3994] auth_ldap
authenticate: user rbaily authentication failed; URI
/svn/projects/candyland/trunk [LDAP: ldap_simple_bind_s() failed][Can't contact
LDAP server]
If they attempt to rety the operation then usually between 2 to 5 times it comes
back with no problem. So this was becoming a major headache and causing our
developers some pain in getting code checked in or getting updates. Also it was
causing some problems with a continuous build server. I am not certain about
the exact time period or the inactivity but indications pointed to this.
So I looked at the code in modules/ldap/util_ldap.c and changed it slightly.
There is a section of code that attempts to do ldap_simple_bind_s and repeats 10
times if it is getting a LDAP_SERVER_DOWN code. What I noticed about this is
that the connection is not truly being reset everytime. It basically starts
with the current state and tries to bind again. So I moved out the code that
was in the upper part of the uldap_connection_open into a function called
uldap_connection_init. Then in the failures loop if we get halfway (5 tries)
then I changed it to unbind and then init it before trying to bind again.
This has worked well for us as we are no longer getting this. So I realize this
may be a Windows only issue and people may not be too keen on corecting it but
it seems like it could happen on other types of LDAP servers as well. I also
think the design is a little better having the init stuff put out in a separate
function rather than in the open function. Also I changed some of the other
places that had multiple statements for the unbind to call
uldap_connection_unbind which handles it.
I think ideally it would be better if we could configure the 10 and 5 numbers
through the configuration file but I wasn't really sure how to handle that.
I'll attach a patch to this shortly.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
|