?
Solved

auth_ldap Timeout? Errors showing ldap_simple_bind_s() failed

Posted on 2006-06-09
5
Medium Priority
?
1,739 Views
Last Modified: 2012-06-21
Hi

I have an Apache 2.2.0 (Win32) installation
using LDAP authentication against an Active Directory.

It works fine - able to authenticate as expected.

If no one uses a secured page for like 10 minutes (aprox) - when they reload the page -or- go to another secured page, they see a Server Misconfiguration error page.  

If you refresh the page after the error, it will then show the page correctly.
If there are a lot of people using the site, the error doesn't show up.

The Apache error logs shows
[5116] auth_ldap authenticate: user test authentication failed; URI /test/People.php [LDAP: ldap_simple_bind_s() failed][Unavailable]

It is almost like the ldap connection is cached and times out.  And then after the error the LDAP connect is reconnected

Also, the pages are .php - PHP is 5.1.2 with cacheing configured - but I'm thinking this is an Apache issue

Thanks for any help
0
Comment
Question by:audaciouspixie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 500 total points
ID: 16875016
10 mintues might be explained as the default for LDAPCacheTTL directive and LDAPOpCacheTTL directive.

See:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

So only after 10 minutes will the cache expire and authentication will be retried with the LDAP server.

It looks to me like Apache assumes the LDAP connection is still available in the pool, but the LDAP server has dropped it.

For Active Directory, there is an idle time limit for a connection (MaxConnIdleTime) set in policy.  The LDAP server drops connections that have been idle for this length of time.

Probably the bad connection is dropped from the pool when the failure occurs, so reconnect uses a different connection or establishes a new one.
0
 

Author Comment

by:audaciouspixie
ID: 16895358
This was good information to look into

I checked the MaxConnIdleTime in the AD policy - and it is set to the default of 900 seconds.
The default LDAPCacheTTL and LDAPOpCacheTTL are 600 seconds - so you would think that the AD connection would still be good after the cache timeout of 10 minutes.

But like you said, it does look like the AD connection is dropped eary for some reason and Apache assumes it should still be active.

I'm going to try to figure out if and why the AD connection is being dropped early.
But it is also possible that the Apache ldap connection pool has a problem - so I'm also going to try to update Apache to 2.2.2 to see if that helps any

Will update this soon with anything I find
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question