Solved

auth_ldap Timeout? Errors showing ldap_simple_bind_s() failed

Posted on 2006-06-09
5
1,711 Views
Last Modified: 2012-06-21
Hi

I have an Apache 2.2.0 (Win32) installation
using LDAP authentication against an Active Directory.

It works fine - able to authenticate as expected.

If no one uses a secured page for like 10 minutes (aprox) - when they reload the page -or- go to another secured page, they see a Server Misconfiguration error page.  

If you refresh the page after the error, it will then show the page correctly.
If there are a lot of people using the site, the error doesn't show up.

The Apache error logs shows
[5116] auth_ldap authenticate: user test authentication failed; URI /test/People.php [LDAP: ldap_simple_bind_s() failed][Unavailable]

It is almost like the ldap connection is cached and times out.  And then after the error the LDAP connect is reconnected

Also, the pages are .php - PHP is 5.1.2 with cacheing configured - but I'm thinking this is an Apache issue

Thanks for any help
0
Comment
Question by:audaciouspixie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 125 total points
ID: 16875016
10 mintues might be explained as the default for LDAPCacheTTL directive and LDAPOpCacheTTL directive.

See:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

So only after 10 minutes will the cache expire and authentication will be retried with the LDAP server.

It looks to me like Apache assumes the LDAP connection is still available in the pool, but the LDAP server has dropped it.

For Active Directory, there is an idle time limit for a connection (MaxConnIdleTime) set in policy.  The LDAP server drops connections that have been idle for this length of time.

Probably the bad connection is dropped from the pool when the failure occurs, so reconnect uses a different connection or establishes a new one.
0
 

Author Comment

by:audaciouspixie
ID: 16895358
This was good information to look into

I checked the MaxConnIdleTime in the AD policy - and it is set to the default of 900 seconds.
The default LDAPCacheTTL and LDAPOpCacheTTL are 600 seconds - so you would think that the AD connection would still be good after the cache timeout of 10 minutes.

But like you said, it does look like the AD connection is dropped eary for some reason and Apache assumes it should still be active.

I'm going to try to figure out if and why the AD connection is being dropped early.
But it is also possible that the Apache ldap connection pool has a problem - so I'm also going to try to update Apache to 2.2.2 to see if that helps any

Will update this soon with anything I find
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question