Mailing List Archive

authnz_ldap LDAP bind + Error 500
Greetings,

I understand that apache2, using the authnz_ldap module, prefers to
maintain persistent connections to a given LDAP server. While this is
contrary to the way LDAP is intended to be used (e.g: connections without
the UNBIND operation), I am ok with this.

Our LDAP servers themselves have no timeout, nor a timelimit, on
operations. Doing a persistent bind against the LDAP server in question,
(by hand) produces a connection that persists as long as necessary.

Apache2, however, feels differently. When pointed directly at an LDAP
server, after some time, we see this (and users begin complaining):

[client 192.168.168.40] [18485] auth_ldap authenticate: user joe
authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect
error], referer: https://svn.example.com/

Invariably restarting apache2 fixes the problem, but it always returns.

HOWEVER, if we take LDAP StartTLS out of the equation, and we use something
like stunnel4 (thereby telling apache2 to "not worry about using encryption
while talking to LDAP"), the problem goes away and does not return. I'll
point out that the LDAP server-side SSL certificates are legitimate, are
not expired, and are used by other things that require certificates to be
in-order.

We are stumped.



Our LDAP-related apache2 configuration (which generates no errors upon
launch, nor configtest):

## /etc/apache2/sites-available/svn

LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<VirtualHost *:80>

ServerAdmin webmaster@example.com
ServerName svn.example.com

RewriteEngine on
RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

</VirtualHost>


<VirtualHost *:443>

ServerAdmin webmaster@example.com
ServerName svn.example.com

DocumentRoot /var/www

SSLEngine on
SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
SSLCACertificateFile /etc/ssl/certs/ca-example.cert
RewriteEngine on
RewriteCond %{SERVER_NAME} !=svn.example.com
RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]

ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

<Location /cache-info>
SetHandler ldap-status
</Location>

<Location /repo>
DAV svn
SVNPath /repo/svn
AuthType Basic
AuthName "Our Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
AuthLDAPBindPassword password
AuthLDAPURL
ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*))
STARTTLS
Require valid-user
</Location>

</VirtualHost>

Modules loaded:

alias.load
auth_basic.load
authn_file.load
authnz_ldap.load
authz_default.load
authz_groupfile.load
authz_host.load
authz_user.load
autoindex.load
cgi.load
dav.load
dav_svn.conf
dav_svn.load
dir.conf
dir.load
env.load
ldap.load
mime.load
negotiation.load
rewrite.load
setenvif.load
ssl.load
status.load

We would appreciate some insight into this - thank you.

-GF
Re: authnz_ldap LDAP bind + Error 500 [ In reply to ]
I expect a response to this. I submitted this over a month ago.. Get with
the program and answer.



On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit <gropefruit@gmail.com> wrote:

> Greetings,
>
> I understand that apache2, using the authnz_ldap module, prefers to
> maintain persistent connections to a given LDAP server. While this is
> contrary to the way LDAP is intended to be used (e.g: connections without
> the UNBIND operation), I am ok with this.
>
> Our LDAP servers themselves have no timeout, nor a timelimit, on
> operations. Doing a persistent bind against the LDAP server in question,
> (by hand) produces a connection that persists as long as necessary.
>
> Apache2, however, feels differently. When pointed directly at an LDAP
> server, after some time, we see this (and users begin complaining):
>
> [client 192.168.168.40] [18485] auth_ldap authenticate: user joe
> authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect
> error], referer: https://svn.example.com/
>
> Invariably restarting apache2 fixes the problem, but it always returns.
>
> HOWEVER, if we take LDAP StartTLS out of the equation, and we use
> something like stunnel4 (thereby telling apache2 to "not worry about using
> encryption while talking to LDAP"), the problem goes away and does not
> return. I'll point out that the LDAP server-side SSL certificates are
> legitimate, are not expired, and are used by other things that require
> certificates to be in-order.
>
> We are stumped.
>
>
>
> Our LDAP-related apache2 configuration (which generates no errors upon
> launch, nor configtest):
>
> ## /etc/apache2/sites-available/svn
>
> LDAPSharedCacheSize 500000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> <VirtualHost *:80>
>
> ServerAdmin webmaster@example.com
> ServerName svn.example.com
>
> RewriteEngine on
> RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> </VirtualHost>
>
>
> <VirtualHost *:443>
>
> ServerAdmin webmaster@example.com
> ServerName svn.example.com
>
> DocumentRoot /var/www
>
> SSLEngine on
> SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key
> SSLCACertificateFile /etc/ssl/certs/ca-example.cert
> RewriteEngine on
> RewriteCond %{SERVER_NAME} !=svn.example.com
> RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L]
>
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> <Location /cache-info>
> SetHandler ldap-status
> </Location>
>
> <Location /repo>
> DAV svn
> SVNPath /repo/svn
> AuthType Basic
> AuthName "Our Repository"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative off
> AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com
> AuthLDAPBindPassword password
> AuthLDAPURL
> ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*))
> STARTTLS
> Require valid-user
> </Location>
>
> </VirtualHost>
>
> Modules loaded:
>
> alias.load
> auth_basic.load
> authn_file.load
> authnz_ldap.load
> authz_default.load
> authz_groupfile.load
> authz_host.load
> authz_user.load
> autoindex.load
> cgi.load
> dav.load
> dav_svn.conf
> dav_svn.load
> dir.conf
> dir.load
> env.load
> ldap.load
> mime.load
> negotiation.load
> rewrite.load
> setenvif.load
> ssl.load
> status.load
>
> We would appreciate some insight into this - thank you.
>
> -GF
>
Re: Re: authnz_ldap LDAP bind + Error 500 [ In reply to ]
On Mon, May 21, 2012 at 5:24 PM, Grope Fruit <gropefruit@gmail.com> wrote:
> I expect a response to this. I submitted this over a month ago.. Get with
> the program and answer.

Is your support contract up to date?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: authnz_ldap LDAP bind + Error 500 [ In reply to ]
At 02:24 PM 5/21/2012 -0700, you wrote:
>I expect a response to this. I submitted this over a month ago.. Get with
>the program and answer.
>On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit
><<mailto:gropefruit@gmail.com>gropefruit@gmail.com> wrote:
[snip]
>We are stumped.
[snip]
Not just stumped - you've alienated a whole group of very friendly and
helpful experts.

As Huck Finn said: "I reckon I got to light out for the Territory, because
Aunt Sally she's going to adopt me and civilize me and I can't stand it."