httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grope Fruit <gropefr...@gmail.com>
Subject [users@httpd] Re: authnz_ldap LDAP bind + Error 500
Date Mon, 21 May 2012 21:24:51 GMT
I expect a response to this. I submitted this over a month ago.. Get with
the program and answer.



On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit <gropefruit@gmail.com> wrote:

> Greetings,
>
> I understand that apache2, using the authnz_ldap module, prefers to
> maintain persistent connections to a given LDAP server.  While this is
> contrary to the way LDAP is intended to be used (e.g: connections without
> the UNBIND operation), I am ok with this.
>
> Our LDAP servers themselves have no timeout, nor a timelimit, on
> operations.  Doing a persistent bind against the LDAP server in question,
> (by hand) produces a connection that persists as long as necessary.
>
> Apache2, however, feels differently. When pointed directly at an LDAP
> server, after some time, we see this (and users begin complaining):
>
> [client 192.168.168.40] [18485] auth_ldap authenticate: user joe
> authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect
> error], referer: https://svn.example.com/
>
> Invariably restarting apache2 fixes the problem, but it always returns.
>
> HOWEVER, if we take LDAP StartTLS out of the equation, and we use
> something like stunnel4 (thereby telling apache2 to "not worry about using
> encryption while talking to LDAP"), the problem goes away and does not
> return.  I'll point out that the LDAP server-side SSL certificates are
> legitimate, are not expired, and are used by other things that require
> certificates to be in-order.
>
> We are stumped.
>
>
>
> Our LDAP-related apache2 configuration (which generates no errors upon
> launch, nor configtest):
>
> ## /etc/apache2/sites-available/svn
>
> LDAPSharedCacheSize 500000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> <VirtualHost *:80>
>
>    ServerAdmin webmaster@example.com
>    ServerName svn.example.com
>
>    RewriteEngine on
>    RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
>    ErrorLog /var/log/apache2/error.log
>    CustomLog /var/log/apache2/access.log combined
>
> </VirtualHost>
>
>
> <VirtualHost *:443>
>
>    ServerAdmin webmaster@example.com
>    ServerName svn.example.com
>
>    DocumentRoot /var/www
>
>    SSLEngine on
>    SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
>    SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
>    SSLCACertificateFile         /etc/ssl/certs/ca-example.cert
>    RewriteEngine on
>    RewriteCond %{SERVER_NAME} !=svn.example.com
>    RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
>    ErrorLog /var/log/apache2/error.log
>    CustomLog /var/log/apache2/access.log combined
>
>  <Location /cache-info>
>      SetHandler ldap-status
>  </Location>
>
>  <Location /repo>
>      DAV svn
>      SVNPath /repo/svn
>      AuthType Basic
>      AuthName "Our Repository"
>      AuthBasicProvider ldap
>      AuthzLDAPAuthoritative off
>      AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
>      AuthLDAPBindPassword password
>      AuthLDAPURL
> ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*))
> STARTTLS
>      Require valid-user
>  </Location>
>
> </VirtualHost>
>
> Modules loaded:
>
> alias.load
> auth_basic.load
> authn_file.load
> authnz_ldap.load
> authz_default.load
> authz_groupfile.load
> authz_host.load
> authz_user.load
> autoindex.load
> cgi.load
> dav.load
> dav_svn.conf
> dav_svn.load
> dir.conf
> dir.load
> env.load
> ldap.load
> mime.load
> negotiation.load
> rewrite.load
> setenvif.load
> ssl.load
> status.load
>
> We would appreciate some insight into this - thank you.
>
> -GF
>

Mime
View raw message