Solved

auth_ldap Timeout? Errors showing ldap_simple_bind_s() failed

Posted on 2006-06-09
5
1,676 Views
Last Modified: 2012-06-21
Hi

I have an Apache 2.2.0 (Win32) installation
using LDAP authentication against an Active Directory.

It works fine - able to authenticate as expected.

If no one uses a secured page for like 10 minutes (aprox) - when they reload the page -or- go to another secured page, they see a Server Misconfiguration error page.  

If you refresh the page after the error, it will then show the page correctly.
If there are a lot of people using the site, the error doesn't show up.

The Apache error logs shows
[5116] auth_ldap authenticate: user test authentication failed; URI /test/People.php [LDAP: ldap_simple_bind_s() failed][Unavailable]

It is almost like the ldap connection is cached and times out.  And then after the error the LDAP connect is reconnected

Also, the pages are .php - PHP is 5.1.2 with cacheing configured - but I'm thinking this is an Apache issue

Thanks for any help
0
Comment
Question by:audaciouspixie
5 Comments
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 125 total points
Comment Utility
10 mintues might be explained as the default for LDAPCacheTTL directive and LDAPOpCacheTTL directive.

See:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

So only after 10 minutes will the cache expire and authentication will be retried with the LDAP server.

It looks to me like Apache assumes the LDAP connection is still available in the pool, but the LDAP server has dropped it.

For Active Directory, there is an idle time limit for a connection (MaxConnIdleTime) set in policy.  The LDAP server drops connections that have been idle for this length of time.

Probably the bad connection is dropped from the pool when the failure occurs, so reconnect uses a different connection or establishes a new one.
0
 

Author Comment

by:audaciouspixie
Comment Utility
This was good information to look into

I checked the MaxConnIdleTime in the AD policy - and it is set to the default of 900 seconds.
The default LDAPCacheTTL and LDAPOpCacheTTL are 600 seconds - so you would think that the AD connection would still be good after the cache timeout of 10 minutes.

But like you said, it does look like the AD connection is dropped eary for some reason and Apache assumes it should still be active.

I'm going to try to figure out if and why the AD connection is being dropped early.
But it is also possible that the Apache ldap connection pool has a problem - so I'm also going to try to update Apache to 2.2.2 to see if that helps any

Will update this soon with anything I find
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now