This is really more an enhance,ent request then a bug. Here is the situation: We set up Apache 2.2.3 on a Linux server and set up Subversion 1.4.0 to be handled by it. We set up authentication to use LDAP to authenticate users. We are authenticating to a Windows 2003 server through its LDAP service (using Global Catalog). Here is the basic configuration. I mangled some of the entries here as to not expose anything. <Location /> AuthName "SVN" AuthType Basic AuthBasicProvider file ldap AuthzLDAPAuthoritative Off AuthLDAPURL ldap://machinename:3268/dc=Company,dc=com?sAMAccountName?sub AuthLDAPBindDN "user@domain.com" AuthLDAPBindPassword "xxxxx" AuthUserFile /var/subversion/conf/svn-auth-users Require valid-user </Location> So what happens is that generally it works fine. But then if a user is inactive for a while (appears to be between 1 and 2 hours) and then tries to perform another operation they get a 500 internal error and a message similar to this is logged in the log file. [Wed Nov 01 11:50:40 2006] [warn] [client 10.1.2.47] [3994] auth_ldap authenticate: user rbaily authentication failed; URI /svn/projects/candyland/trunk [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] If they attempt to rety the operation then usually between 2 to 5 times it comes back with no problem. So this was becoming a major headache and causing our developers some pain in getting code checked in or getting updates. Also it was causing some problems with a continuous build server. I am not certain about the exact time period or the inactivity but indications pointed to this. So I looked at the code in modules/ldap/util_ldap.c and changed it slightly. There is a section of code that attempts to do ldap_simple_bind_s and repeats 10 times if it is getting a LDAP_SERVER_DOWN code. What I noticed about this is that the connection is not truly being reset everytime. It basically starts with the current state and tries to bind again. So I moved out the code that was in the upper part of the uldap_connection_open into a function called uldap_connection_init. Then in the failures loop if we get halfway (5 tries) then I changed it to unbind and then init it before trying to bind again. This has worked well for us as we are no longer getting this. So I realize this may be a Windows only issue and people may not be too keen on corecting it but it seems like it could happen on other types of LDAP servers as well. I also think the design is a little better having the init stuff put out in a separate function rather than in the open function. Also I changed some of the other places that had multiple statements for the unbind to call uldap_connection_unbind which handles it. I think ideally it would be better if we could configure the 10 and 5 numbers through the configuration file but I wasn't really sure how to handle that. I'll attach a patch to this shortly.
Created attachment 19076 [details] Proposed patch for the enhancement. Ideally I think the 10 and 5 in the failures loop would be configrable with some defaults like the numbers that are currently used. However I wasn't really sure about the best way to put that in so I did not do that.
Changing severity to enhancement. Although some people may think it is a bug since it eventually fails the LDAP authentication.
Checked into trunk and proposed for backport to 2.2
In our environment we're running Apache 2.2.3 on a Solaris 10 box authenticating against a Windows 2003 LDAP server. This issue also appeared when our developers started porting applications over to Apache from IIS. In our situation, it would sometimes appear even upon an initial connection from a user after attempting to authenticate against LDAP. This was after the web server daemon was online for a few hours (four). The end user, if they entered their username/password correctly (or perhaps incorrectly too) would immediately get a 500 Internal Server error message, and an entry like this would be logged: [Mon Apr 23 12:05:36 2007] [warn] [client 101.10.115.53] [21514] auth_ldap authenticate: user tracy authentication failed; URI /em/gs [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
in 2.2.4