Solved

auth_ldap Timeout? Errors showing ldap_simple_bind_s() failed

Posted on 2006-06-09
5
1,682 Views
Last Modified: 2012-06-21
Hi

I have an Apache 2.2.0 (Win32) installation
using LDAP authentication against an Active Directory.

It works fine - able to authenticate as expected.

If no one uses a secured page for like 10 minutes (aprox) - when they reload the page -or- go to another secured page, they see a Server Misconfiguration error page.  

If you refresh the page after the error, it will then show the page correctly.
If there are a lot of people using the site, the error doesn't show up.

The Apache error logs shows
[5116] auth_ldap authenticate: user test authentication failed; URI /test/People.php [LDAP: ldap_simple_bind_s() failed][Unavailable]

It is almost like the ldap connection is cached and times out.  And then after the error the LDAP connect is reconnected

Also, the pages are .php - PHP is 5.1.2 with cacheing configured - but I'm thinking this is an Apache issue

Thanks for any help
0
Comment
Question by:audaciouspixie
5 Comments
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 125 total points
ID: 16875016
10 mintues might be explained as the default for LDAPCacheTTL directive and LDAPOpCacheTTL directive.

See:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

So only after 10 minutes will the cache expire and authentication will be retried with the LDAP server.

It looks to me like Apache assumes the LDAP connection is still available in the pool, but the LDAP server has dropped it.

For Active Directory, there is an idle time limit for a connection (MaxConnIdleTime) set in policy.  The LDAP server drops connections that have been idle for this length of time.

Probably the bad connection is dropped from the pool when the failure occurs, so reconnect uses a different connection or establishes a new one.
0
 

Author Comment

by:audaciouspixie
ID: 16895358
This was good information to look into

I checked the MaxConnIdleTime in the AD policy - and it is set to the default of 900 seconds.
The default LDAPCacheTTL and LDAPOpCacheTTL are 600 seconds - so you would think that the AD connection would still be good after the cache timeout of 10 minutes.

But like you said, it does look like the AD connection is dropped eary for some reason and Apache assumes it should still be active.

I'm going to try to figure out if and why the AD connection is being dropped early.
But it is also possible that the Apache ldap connection pool has a problem - so I'm also going to try to update Apache to 2.2.2 to see if that helps any

Will update this soon with anything I find
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Edureka is one of the fastest growing and most effective online learning sites.  We are here to help you succeed.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now