Bug 57203

Summary: LDAPConnectionPoolTTL - AH01618 error
Product: Apache httpd-2 Reporter: Jorgen <jorgen.sandstrom>
Component: mod_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 2.4.10   
Target Milestone: ---   
Hardware: HP   
OS: Linux   

Description Jorgen 2014-11-12 13:07:35 UTC 
Hi.

I use the tool Collabnet Subversion Edge 4.0.11 which is bundled with httpd 2.4.10

When using ldap to authenticate users, it works for some time (1-2 hours) then these errors are logged.
[auth_basic:error] [pid 30962] [client xxx.xxx.xxx.xxx:51772] AH01618: user auser not found:

If I restart the httpd deamon, it works for a new time period but then back to the errors.

Workaround:
LDAPConnectionPoolTTL 60
(previous used the default -1 value)

Question:
The problems are gone now, but is this setting really good (60 value) ?
Will we have any other problems in future (performance)

I thought the apache ldap module could detect closed connections and then create a new ones when needed.

Our ldap configuration works without problem in Jenkins, JIRA for example.

BR Jorgen
Comment 1 Eric Covener 2014-11-12 13:15:36 UTC 
There is a fix in 2.4.11 that may be related, but tough to tell w/o context:

  *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
     the wrong credentials when a backend connection is reused.

Can you get it to fail under loglevel debug or trace8?

Otherwise you are right that you should just see a retry and maybe a short delay if a connection in the pool goes south.
Comment 2 Jorgen 2014-11-12 13:42:03 UTC 
(In reply to Eric Covener from comment #1)
> There is a fix in 2.4.11 that may be related, but tough to tell w/o context:
> 
>   *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done
> with
>      the wrong credentials when a backend connection is reused.
> 
> Can you get it to fail under loglevel debug or trace8?
> 
> Otherwise you are right that you should just see a retry and maybe a short
> delay if a connection in the pool goes south.



I have logs from Subversion edge in debug mode (I think thats trace8)

[Thu Nov 06 09:44:54.159442 2014] [ssl:debug] [pid 23265] ssl_engine_kernel.c(236): [client 10.249.66.28:49770] AH02034: Subsequent (No.2) HTTPS request received for child 1 (server svn-it.got.company.net:443)
[Thu Nov 06 09:44:54.159483 2014] [authz_core:debug] [pid 23265] mod_authz_core.c(799): [client 10.249.66.28:49770] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Thu Nov 06 09:44:54.159488 2014] [authz_core:debug] [pid 23265] mod_authz_core.c(799): [client 10.249.66.28:49770] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Thu Nov 06 09:44:54.159560 2014] [authnz_ldap:debug] [pid 23265] mod_authnz_ldap.c(515): [client 10.249.66.28:49770] AH01691: auth_ldap authenticate: using URL ldaps://vds.company.biz:636/ou=Internal,ou=Users,o=XXX?uid?sub
[Thu Nov 06 09:44:54.161569 2014] [authnz_ldap:info] [pid 23265] [client 10.249.66.28:49770] AH01695: auth_ldap authenticate: user userX authentication failed; URI /svn/some-path/pom.xml [User not found][No such object]
[Thu Nov 06 09:44:54.161580 2014] [auth_basic:error] [pid 23265] [client 10.249.66.28:49770] AH01618: user userX not found: /svn/EIE/!svn/rvr/452/some-path/pom.xml
Comment 3 Eric Covener 2014-11-12 13:47:03 UTC 
That could actually be a match.  You could probably test this using e.g. ldapsearch.  The issue would be that your actual users (userX) can't perform the DN search themselves (and get that same "object not found") but the webserver LDAPBindDN can.
Comment 4 Jorgen 2014-11-12 16:05:48 UTC 
Hi again Eric.

I always validate with ldapsearch before configuring the tool (the server must accept ldap cert and connect thru firewall)

Do the search with 'ldapmanger-user' in ldap for looking up 'myuser'
-- This always works, no surprise --
ldapsearch -xLLLH ldaps://vds.company.biz:636 -D "cn=ldapmanger-user,ou=Internal,ou=Users,o=company" -w '*****' -b "ou=Internal,ou=Users,o=Company" "(&(objectClass=inetOrgPerson)(cn=myuser))"

Do the search with 'myuser' in ldap for looking up 'myuser'
-- This return nothing --
ldapsearch -xLLLH ldaps://vds.company.biz:636 -D "cn=myuser,ou=Internal,ou=Users,o=company" -w '*****' -b "ou=Internal,ou=Users,o=Company" "(&(objectClass=inetOrgPerson)(cn=myuser))"

Do the search with 'unkownuser' in ldap for looking up 'myuser'
-- This return 'ldap_bind: Invalid credentials (49)' , no surprise --
ldapsearch -xLLLH ldaps://vds.company.biz:636 -D "cn=unkownuser,ou=Internal,ou=Users,o=company" -w '*****' -b "ou=Internal,ou=Users,o=Company" "(&(objectClass=inetOrgPerson)(cn=myuser))"

BR Jorgen
Comment 5 Eric Covener 2014-11-12 16:38:40 UTC 
okay, based on that then I think you are affected by that bug in 2.4.10 fixed in 2.4.11. Unfortunately you'll need a new mod_ldap (util_ldap.c) to verify.
Comment 6 Jorgen 2014-11-12 16:43:51 UTC 
Thank you so much for your time Eric.

Next upgrade from CollabNet Subversion Edge will problaby be shipped with 2.4.11.

Until then, what do you recommend
LDAPConnectionPoolTTL 60
or
LDAPConnectionPoolTTL 0 (never try to reuse a ldap connection)

BR Jorgen
Comment 7 Eric Covener 2014-11-12 16:59:28 UTC 
I think 60 is reasonable