40878 – For LDAP authentication against Windows Active Directory ldap_simple_bind_s fails after a period

Bug 40878 - For LDAP authentication against Windows Active Directory ldap_simple_bind_s fails after a period

Summary: For LDAP authentication against Windows Active Directory ldap_simple_bind_s f...

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ldap (show other bugs)
Version:	2.2.3
Hardware:	Other Linux

Importance:	P2 enhancement with 1 vote (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2006-11-02 09:08 UTC by Rob Baily
Modified:	2011-09-17 15:53 UTC (History)
CC List:	0 users

Attachments
Proposed patch for the enhancement. (4.19 KB, patch) 2006-11-02 09:10 UTC, Rob Baily	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rob Baily 2006-11-02 09:08:35 UTC

This is really more an enhance,ent request then a bug.  Here is the situation:

We set up Apache 2.2.3 on a Linux server and set up Subversion 1.4.0 to be
handled by it.  We set up authentication to use LDAP to authenticate users.  We
are authenticating to a Windows 2003 server through its LDAP service (using
Global Catalog).

Here is the basic configuration.  I mangled some of the entries here as to not
expose anything.

<Location />
    AuthName "SVN"
    AuthType Basic
    AuthBasicProvider file ldap
    AuthzLDAPAuthoritative Off
    AuthLDAPURL ldap://machinename:3268/dc=Company,dc=com?sAMAccountName?sub
    AuthLDAPBindDN "user@domain.com"
    AuthLDAPBindPassword "xxxxx"
    AuthUserFile /var/subversion/conf/svn-auth-users
    Require valid-user
</Location>

So what happens is that generally it works fine.  But then if a user is inactive
for a while (appears to be between 1 and 2 hours) and then tries to perform
another operation they get a 500 internal error and a message similar to this is
logged in the log file.

[Wed Nov 01 11:50:40 2006] [warn] [client 10.1.2.47] [3994] auth_ldap
authenticate: user rbaily authentication failed; URI
/svn/projects/candyland/trunk [LDAP: ldap_simple_bind_s() failed][Can't contact
LDAP server]

If they attempt to rety the operation then usually between 2 to 5 times it comes
back with no problem.  So this was becoming a major headache and causing our
developers some pain in getting code checked in or getting updates.  Also it was
causing some problems with a continuous build server.  I am not certain about
the exact time period or the inactivity but indications pointed to this.

So I looked at the code in modules/ldap/util_ldap.c and changed it slightly. 
There is a section of code that attempts to do ldap_simple_bind_s and repeats 10
times if it is getting a LDAP_SERVER_DOWN code.  What I noticed about this is
that the connection is not truly being reset everytime.  It basically starts
with the current state and tries to bind again.  So I moved out the code that
was in the upper part of the uldap_connection_open into a function called
uldap_connection_init.  Then in the failures loop if we get halfway (5 tries)
then I changed it to unbind and then init it before trying to bind again.

This has worked well for us as we are no longer getting this.  So I realize this
may be a Windows only issue and people may not be too keen on corecting it but
it seems like it could happen on other types of LDAP servers as well.  I also
think the design is a little better having the init stuff put out in a separate
function rather than in the open function.  Also I changed some of the other
places that had multiple statements for the unbind to call
uldap_connection_unbind which handles it.

I think ideally it would be better if we could configure the 10 and 5 numbers
through the configuration file but I wasn't really sure how to handle that.

I'll attach a patch to this shortly.

Comment 1 Rob Baily 2006-11-02 09:10:19 UTC

Created attachment 19076 [details]
Proposed patch for the enhancement.

Ideally I think the 10 and 5 in the failures loop would be configrable with
some defaults like the numbers that are currently used.  However I wasn't
really sure about the best way to put that in so I did not do that.

Comment 2 Rob Baily 2006-11-02 09:26:22 UTC

Changing severity to enhancement.  Although some people may think it is a bug
since it eventually fails the LDAP authentication.

Comment 3 Brad Nicholes 2006-11-08 12:48:37 UTC

Checked into trunk and proposed for backport to 2.2

Comment 4 John Tracy 2007-04-23 09:35:47 UTC

In our environment we're running Apache 2.2.3 on a Solaris 10 box authenticating
against a Windows 2003 LDAP server. This issue also appeared when our developers
started porting applications over to Apache from IIS. In our situation, it would
sometimes appear even upon an initial connection from a user after attempting to
authenticate against LDAP. This was after the web server daemon was online for a
few hours (four). The end user, if they entered their username/password
correctly (or perhaps incorrectly too) would immediately get a 500 Internal
Server error message, and an entry like this would be logged:

[Mon Apr 23 12:05:36 2007] [warn] [client 101.10.115.53] [21514] auth_ldap
authenticate: user tracy authentication failed; URI /em/gs [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]

Comment 5 Stefan Fritsch 2011-09-17 15:53:29 UTC

in 2.2.4