Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

authnz_ldap LDAP bind + Error 500

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


gropefruit at gmail

Apr 16, 2012, 8:19 PM

Post #1 of 4 (344 views)
Permalink
authnz_ldap LDAP bind + Error 500

Greetings,

I understand that apache2, using the authnz_ldap module, prefers to
maintain persistent connections to a given LDAP server. While this is
contrary to the way LDAP is intended to be used (e.g: connections without
the UNBIND operation), I am ok with this.

Our LDAP servers themselves have no timeout, nor a timelimit, on
operations. Doing a persistent bind against the LDAP server in question,
(by hand) produces a connection that persists as long as necessary.

Apache2, however, feels differently. When pointed directly at an LDAP
server, after some time, we see this (and users begin complaining):

[client 192.168.168.40] [18485] auth_ldap authenticate: user joe
authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect
error], referer: https://svn.example.com/

Invariably restarting apache2 fixes the problem, but it always returns.

HOWEVER, if we take LDAP StartTLS out of the equation, and we use something
like stunnel4 (thereby telling apache2 to "not worry about using encryption
while talking to LDAP"), the problem goes away and does not return. I'll
point out that the LDAP server-side SSL certificates are legitimate, are
not expired, and are used by other things that require certificates to be
in-order.

We are stumped.



Our LDAP-related apache2 configuration (which generates no errors upon
launch, nor configtest):

## /etc/apache2/sites-available/svn

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<VirtualHost *:80>

ServerAdmin webmaster [at] example
ServerName svn.example.com

RewriteEngine on
RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

</VirtualHost>


<VirtualHost *:443>

ServerAdmin webmaster [at] example
ServerName svn.example.com

DocumentRoot /var/www

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
SSLCACertificateFile /etc/ssl/certs/ca-example.cert
RewriteEngine on
RewriteCond %{SERVER_NAME} !=svn.example.com
RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

<Location /cache-info>
SetHandler ldap-status
</Location>

<Location /repo>
DAV svn
SVNPath /repo/svn
AuthType Basic
AuthName "Our Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
AuthLDAPBindPassword password
AuthLDAPURL
ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*))
STARTTLS
Require valid-user
</Location>

</VirtualHost>

Modules loaded:

alias.load
auth_basic.load
authn_file.load
authnz_ldap.load
authz_default.load
authz_groupfile.load
authz_host.load
authz_user.load
autoindex.load
cgi.load
dav.load
dav_svn.conf
dav_svn.load
dir.conf
dir.load
env.load
ldap.load
mime.load
negotiation.load
rewrite.load
setenvif.load
ssl.load
status.load

We would appreciate some insight into this - thank you.

-GF


gropefruit at gmail

May 21, 2012, 2:24 PM

Post #2 of 4 (300 views)
Permalink
Re: authnz_ldap LDAP bind + Error 500 [In reply to]

I expect a response to this. I submitted this over a month ago.. Get with
the program and answer.



On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit <gropefruit [at] gmail> wrote:

> Greetings,
>
> I understand that apache2, using the authnz_ldap module, prefers to
> maintain persistent connections to a given LDAP server. While this is
> contrary to the way LDAP is intended to be used (e.g: connections without
> the UNBIND operation), I am ok with this.
>
> Our LDAP servers themselves have no timeout, nor a timelimit, on
> operations. Doing a persistent bind against the LDAP server in question,
> (by hand) produces a connection that persists as long as necessary.
>
> Apache2, however, feels differently. When pointed directly at an LDAP
> server, after some time, we see this (and users begin complaining):
>
> [client 192.168.168.40] [18485] auth_ldap authenticate: user joe
> authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect
> error], referer: https://svn.example.com/
>
> Invariably restarting apache2 fixes the problem, but it always returns.
>
> HOWEVER, if we take LDAP StartTLS out of the equation, and we use
> something like stunnel4 (thereby telling apache2 to "not worry about using
> encryption while talking to LDAP"), the problem goes away and does not
> return. I'll point out that the LDAP server-side SSL certificates are
> legitimate, are not expired, and are used by other things that require
> certificates to be in-order.
>
> We are stumped.
>
>
>
> Our LDAP-related apache2 configuration (which generates no errors upon
> launch, nor configtest):
>
> ## /etc/apache2/sites-available/svn
>
> LDAPSharedCacheSize 500000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> <VirtualHost *:80>
>
> ServerAdmin webmaster [at] example
> ServerName svn.example.com
>
> RewriteEngine on
> RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> </VirtualHost>
>
>
> <VirtualHost *:443>
>
> ServerAdmin webmaster [at] example
> ServerName svn.example.com
>
> DocumentRoot /var/www
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
> SSLCACertificateFile /etc/ssl/certs/ca-example.cert
> RewriteEngine on
> RewriteCond %{SERVER_NAME} !=svn.example.com
> RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> <Location /cache-info>
> SetHandler ldap-status
> </Location>
>
> <Location /repo>
> DAV svn
> SVNPath /repo/svn
> AuthType Basic
> AuthName "Our Repository"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
> AuthLDAPBindPassword password
> AuthLDAPURL
> ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*))
> STARTTLS
> Require valid-user
> </Location>
>
> </VirtualHost>
>
> Modules loaded:
>
> alias.load
> auth_basic.load
> authn_file.load
> authnz_ldap.load
> authz_default.load
> authz_groupfile.load
> authz_host.load
> authz_user.load
> autoindex.load
> cgi.load
> dav.load
> dav_svn.conf
> dav_svn.load
> dir.conf
> dir.load
> env.load
> ldap.load
> mime.load
> negotiation.load
> rewrite.load
> setenvif.load
> ssl.load
> status.load
>
> We would appreciate some insight into this - thank you.
>
> -GF
>


covener at gmail

May 21, 2012, 2:37 PM

Post #3 of 4 (299 views)
Permalink
Re: Re: authnz_ldap LDAP bind + Error 500 [In reply to]

On Mon, May 21, 2012 at 5:24 PM, Grope Fruit <gropefruit [at] gmail> wrote:
> I expect a response to this. I submitted this over a month ago.. Get with
> the program and answer.

Is your support contract up to date?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


stormy22 at stormy

May 21, 2012, 4:20 PM

Post #4 of 4 (301 views)
Permalink
Re: Re: authnz_ldap LDAP bind + Error 500 [In reply to]

At 02:24 PM 5/21/2012 -0700, you wrote:
>I expect a response to this. I submitted this over a month ago.. Get with
>the program and answer.
>On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit
><<mailto:gropefruit [at] gmail>gropefruit [at] gmail> wrote:
[snip]
>We are stumped.
[snip]
Not just stumped - you've alienated a whole group of very friendly and
helpful experts.

As Huck Finn said: "I reckon I got to light out for the Territory, because
Aunt Sally she's going to adopt me and civilize me and I can't stand it."

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.