On Sunday, February 25, 2018 at 12:57:30 AM UTC, david.johnstone wrote: > > Good Morning, > > > > I have been working on a new installation of Trac/Subverison, in > preparation for a migration to new hardware. > > > > Part of the migration plan is to look at integrating the authentication > with Active Directory via LDAP. Trac offers two options for authentication > via LDAP, either have Apache do the authentication or the have Trac do the > authentication using the TracDirectoryAuth plugin. I have looked at both > options and think TracDirectoryAuth is neater/better solution. > > > > But I have hit a problem. If the system idle for a period when Trac > connects to the LDAP server, the connection fails with either “Broken pipe” > or “Connection Reset” messages. > > > > The problem seems to be that Windows cleans up idle LDAP connections, see > https://support.microsoft.com/en-au/help/2000061/ldap-and-kerberos-server-may-reset-tcp-sessions-immediately-after-crea. > > In MS documentation it suggests -- “For the KDC ports, many clients, > including the Windows Kerberos client, will perform a retry and then get a > full timer tick to work on the session. LDAP applications have a higher > chance of considering the connection reset a fatal failure." > > > > From my reading of the code, TracDirectoryAuth, tries to connect once, > fails and gives up. A possible solution, would be to wait a second and > retry. > > > > My knowledge of Python is not good enough to modify the code. What I > think is needed, is to modify the routine “_ldap_search”, so that if the > connection fails, wait a second and retry. > > > > Is there someone that can look at modifying the code? > > > > Cheers, > > David J. > > > > > > > > ===================================================================== > > > > > > > > 2018-02-25 10:52:29,076 Trac[auth] INFO: get users > > 2018-02-25 10:52:29,077 Trac[chrome] ERROR: Error with navigation > contributor PreferencesModule: > > Traceback (most recent call last): > > File "/usr/lib64/python2.7/site-packages/trac/web/chrome.py", line 821, > in prepare_request > > contributor.get_navigation_items(req) or []: > > File "/usr/lib64/python2.7/site-packages/trac/prefs/web_ui.py", line 48, > in get_navigation_items > > panels = self._get_panels(req)[0] > > File "/usr/lib64/python2.7/site-packages/trac/prefs/web_ui.py", line > 137, in _get_panels > > p = list(provider.get_preference_panels(req) or []) > > File "build/bdist.linux-x86_64/egg/acct_mgr/web_ui.py", line 130, in > get_preference_panels > > user_store = self.acctmgr.find_user_store(req.authname) > > File "build/bdist.linux-x86_64/egg/acct_mgr/api.py", line 352, in > find_user_store > > user_list = store.get_users() > > File "build/bdist.linux-x86_64/egg/tracext/dirauth/auth.py", line 153, > in get_users > > userinfo = self.expand_group_users(ldapCtx, self.group_validusers) > > File "build/bdist.linux-x86_64/egg/tracext/dirauth/auth.py", line 182, > in expand_group_users > > attrlist=[to_utf8(self.member_attr)]) > > File "build/bdist.linux-x86_64/egg/tracext/dirauth/auth.py", line 746, > in _ldap_search > > msgid = context.search_ext(base, scope, filterstr, attrlist, 0, [lc], > None, -1, sz); > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 820, > in search_ext > > timeout,sizelimit, > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 308, > in _ldap_call > > reraise(exc_type, exc_value, exc_traceback) > > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 292, > in _ldap_call > > result = func(*args,**kwargs) > > SERVER_DOWN: {u'info': 'Broken pipe', 'errno': 32, 'desc': u"Can't contact > LDAP server"} >
>From inspection, it appears that it should already be configured to retry the connection. The ldapCtx object that is used in the _ldap_search call is created in the _bind_dir method: https://trac-hacks.org/browser/directoryauthplugin/trunk/tracext/dirauth/auth.py?rev=16087&marks=294,295,310-312#L285 Here is the documentation for the ReconnectLDAPObject configuration options: https://www.python-ldap.org/en/latest/reference/ldap.html?highlight=ReconnectLDAPObject#ldap.ReconnectLDAPObject Also, have you tried modifying the [account-manager] dir_timeout option? It defaults to 5, and sets the value of OPT_TIMEOUT: https://www.python-ldap.org/en/latest/reference/ldap.html?highlight=ReconnectLDAPObject#ldap.OPT_TIMEOUT Does the timeout occur immediately when loading the page after the idle time? Or does it take 5 seconds until you see the traceback? It seems like the plugin is configured by default to retry 5 times at 1 second intervals. Or maybe 5 times at 5 second intervals? It's unclear to me if/how OPT_TIMEOUT and the retry_delay argument of ReconnectLDAPObject are related. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
