DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40878>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40878 Summary: For LDAP authtentication against Windows Active Directory ldap_simple_bind_s fails after a period Product: Apache httpd-2 Version: 2.2.3 Platform: Other OS/Version: Linux Status: NEW Keywords: PatchAvailable Severity: major Priority: P2 Component: mod_ldap AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] This is really more an enhance,ent request then a bug. Here is the situation: We set up Apache 2.2.3 on a Linux server and set up Subversion 1.4.0 to be handled by it. We set up authentication to use LDAP to authenticate users. We are authenticating to a Windows 2003 server through its LDAP service (using Global Catalog). Here is the basic configuration. I mangled some of the entries here as to not expose anything. <Location /> AuthName "SVN" AuthType Basic AuthBasicProvider file ldap AuthzLDAPAuthoritative Off AuthLDAPURL ldap://machinename:3268/dc=Company,dc=com?sAMAccountName?sub AuthLDAPBindDN "[EMAIL PROTECTED]" AuthLDAPBindPassword "xxxxx" AuthUserFile /var/subversion/conf/svn-auth-users Require valid-user </Location> So what happens is that generally it works fine. But then if a user is inactive for a while (appears to be between 1 and 2 hours) and then tries to perform another operation they get a 500 internal error and a message similar to this is logged in the log file. [Wed Nov 01 11:50:40 2006] [warn] [client 10.1.2.47] [3994] auth_ldap authenticate: user rbaily authentication failed; URI /svn/projects/candyland/trunk [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] If they attempt to rety the operation then usually between 2 to 5 times it comes back with no problem. So this was becoming a major headache and causing our developers some pain in getting code checked in or getting updates. Also it was causing some problems with a continuous build server. I am not certain about the exact time period or the inactivity but indications pointed to this. So I looked at the code in modules/ldap/util_ldap.c and changed it slightly. There is a section of code that attempts to do ldap_simple_bind_s and repeats 10 times if it is getting a LDAP_SERVER_DOWN code. What I noticed about this is that the connection is not truly being reset everytime. It basically starts with the current state and tries to bind again. So I moved out the code that was in the upper part of the uldap_connection_open into a function called uldap_connection_init. Then in the failures loop if we get halfway (5 tries) then I changed it to unbind and then init it before trying to bind again. This has worked well for us as we are no longer getting this. So I realize this may be a Windows only issue and people may not be too keen on corecting it but it seems like it could happen on other types of LDAP servers as well. I also think the design is a little better having the init stuff put out in a separate function rather than in the open function. Also I changed some of the other places that had multiple statements for the unbind to call uldap_connection_unbind which handles it. I think ideally it would be better if we could configure the 10 and 5 numbers through the configuration file but I wasn't really sure how to handle that. I'll attach a patch to this shortly. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
