httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tod <listac...@gmail.com>
Subject Re: [users@httpd] LDAP hangs when trying to authenticate
Date Mon, 20 Oct 2008 17:40:15 GMT
Mike Benza wrote:
>   Hello,
> 
> I've been stuck with a problem where LDAP hangs when it's trying to 
> authenticate.
> 
> I'm running Apache on Ubuntu 8.04, Hardy Heron.  This problem occurs 
> with the Ubuntu version (both 32 and 64 bit) as well as compiled 
> directly from source.  I can produce the problem in Apache 2.2.8 (from 
> Ubuntu) and 2.2.10 (compiled from source).  I posted about the problem 
> on ubuntuforums.org <http://ubuntuforums.org> a few weeks ago but I 
> didn't get any useful responses.  I've searched the web multiple times.  
> Tonight I downloaded the source and built it, and I still have the problem.
> 
> I've a <Location> in a certain site that needs to be ldap authenticated. 
> It doesn't get authenticated. Here is the location:
> 
> <Location /blah>
>   AuthzLDAPAuthoritative Off
>   AuthName "EWB Documents"
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthLDAPBindDN "cn=ewb,ou=Service Accounts,dc=rice,dc=edu"
>   AuthLDAPBindPassword *********
>   AuthLDAPURL "ldaps://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid 
> <http://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid>"
> 
>   <Limit GET POST PROPFIND OPTIONS REPORT>
>      Require valid-user
>   </Limit>
> </Location>
> 
> When I browse to http://site/blah, I get prompted for my username and 
> password. I've confirmed that this <Location> configuration is causing 
> the prompt, since when I remove the <Location>, I don't get prompted for 
> a username and password. After I type my username and password in and 
> click OK, nothing happens on the browser side. I can watch my browser 
> send my credentials back the server, and I can see the beginning of an 
> LDAP conversation using wireshark on the server. However, after the 
> conversation begins, it abruptly stops, and nothing happens. It just 
> sits there.
> 
> I tested logging into the LDAP with a variation of the following (using 
> a hostname and port, but I don't remember the format and switches now):
> Code:
> 
> ldapsearch -x -W -D "cn=ewb,ou=service accounts,dc=rice,dc=edu" -b 
> "ou=People,dc=rice,dc=edu" '(uid=XYZ)'
> 
> It prompts me for my password (the ***s in the above apache 
> configuration), then finds the user named XYZ.
> 
> So, in summary I can connect via ldaps and lookup a user at the command 
> line, but somewhere, apache fails.
> 
> I turned logging in apache to debug, and discovered that ldap doesn't 
> log much:
> Code:
> 
> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory: 
> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
> [Wed Sep 17 20:07:10 2008] [notice] suEXEC mechanism enabled (wrapper: 
> /usr/lib/apache2/suexec)
> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes of 
> entropy
> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA private 
> keys (512/1024 bits)
> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH 
> parameters (512/1024 bits)
> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) servers 
> for SSL
> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against Server: 
> Apache/2.2.8, Library: OpenSSL/0.9.8g
> [Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory: 
> mod_mime_magic: can't read magic file /etc/apache2/conf/magic
> [Wed Sep 17 20:07:10 2008] [notice] Digest: generating secret for digest 
> authentication ...
> [Wed Sep 17 20:07:10 2008] [notice] Digest: done
> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: ewb.rice.edu 
> <http://ewb.rice.edu>
> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: 
> wiki.ewb.rice.edu <http://wiki.ewb.rice.edu>
> [Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging 
> Shared Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: ewb.rice.edu 
> <http://ewb.rice.edu>
> [Wed Sep 17 20:07:10 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
> [Wed Sep 17 20:07:10 2008] [info] LDAP: SSL support available
> [Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes of 
> entropy
> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA private 
> keys (512/1024 bits)
> [Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH 
> parameters (512/1024 bits)
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(374): shmcb_init 
> allocated 512000 bytes of shared memory
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(554): entered 
> shmcb_init_memory()
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(576): for 512000 
> bytes, recommending 4266 indexes
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(619): 
> shmcb_init_memory choices follow
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(621): 
> division_mask = 0x1F
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(623): 
> division_offset = 64
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(625): 
> division_size = 15998
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(627): queue_size = 
> 1604
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(629): index_num = 133
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(631): index_offset = 8
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(633): index_size = 12
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(635): 
> cache_data_offset = 8
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(637): 
> cache_data_size = 14386
> [Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(650): leaving 
> shmcb_init_memory()
> [Wed Sep 17 20:07:10 2008] [info] Shared memory session cache initialised
> [Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) servers 
> for SSL
> [Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against Server: 
> Apache/2.2.8, Library: OpenSSL/0.9.8g
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24788 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24788 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24789 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24789 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24790 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24790 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24791 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24791 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24792 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24792 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24793 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24793 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24794 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24794 for (*)
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed 
> scoreboard slot 0 in child 24795 for worker proxy:reverse
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker 
> proxy:reverse already initialized
> [Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: 
> initialized single connection worker 0 in child 24795 for (*)
> [Wed Sep 17 20:07:10 2008] [notice] Apache/2.2.8 (Ubuntu) DAV/2 
> SVN/1.4.6 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 
> OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 configu
> red -- resuming normal operations
> 
> Nothing is logged in the error log when I try to load the page requiring 
> my username and password.
> 
> Now here is where it gets a bit more complicated: If it's hanging 
> waiting to authenticate and I restart apache, the authentication 
> succeeds, then apache restarts just fine.
> 
> I don't know very much about the LDAP server.  I know there are a number 
> of machines with apache that successfully authenticate against this ldap.
> 
> Has anyone had problems like this? Please help me. I can't find anyone 
> who knows enough about apache and ldap. I've been working at this for 
> weeks now. Thank you.
> 
> - Mike Benza
> 

Try doing the ldapsearch from the apache box to ldap.rice.edu to rule 
out firewall a issue.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message