Solved

auth_ldap Timeout? Errors showing ldap_simple_bind_s() failed

Posted on 2006-06-09
5
1,690 Views
Last Modified: 2012-06-21
Hi

I have an Apache 2.2.0 (Win32) installation
using LDAP authentication against an Active Directory.

It works fine - able to authenticate as expected.

If no one uses a secured page for like 10 minutes (aprox) - when they reload the page -or- go to another secured page, they see a Server Misconfiguration error page.  

If you refresh the page after the error, it will then show the page correctly.
If there are a lot of people using the site, the error doesn't show up.

The Apache error logs shows
[5116] auth_ldap authenticate: user test authentication failed; URI /test/People.php [LDAP: ldap_simple_bind_s() failed][Unavailable]

It is almost like the ldap connection is cached and times out.  And then after the error the LDAP connect is reconnected

Also, the pages are .php - PHP is 5.1.2 with cacheing configured - but I'm thinking this is an Apache issue

Thanks for any help
0
Comment
Question by:audaciouspixie
5 Comments
 
LVL 10

Accepted Solution

by:
sleep_furiously earned 125 total points
ID: 16875016
10 mintues might be explained as the default for LDAPCacheTTL directive and LDAPOpCacheTTL directive.

See:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

So only after 10 minutes will the cache expire and authentication will be retried with the LDAP server.

It looks to me like Apache assumes the LDAP connection is still available in the pool, but the LDAP server has dropped it.

For Active Directory, there is an idle time limit for a connection (MaxConnIdleTime) set in policy.  The LDAP server drops connections that have been idle for this length of time.

Probably the bad connection is dropped from the pool when the failure occurs, so reconnect uses a different connection or establishes a new one.
0
 

Author Comment

by:audaciouspixie
ID: 16895358
This was good information to look into

I checked the MaxConnIdleTime in the AD policy - and it is set to the default of 900 seconds.
The default LDAPCacheTTL and LDAPOpCacheTTL are 600 seconds - so you would think that the AD connection would still be good after the cache timeout of 10 minutes.

But like you said, it does look like the AD connection is dropped eary for some reason and Apache assumes it should still be active.

I'm going to try to figure out if and why the AD connection is being dropped early.
But it is also possible that the Apache ldap connection pool has a problem - so I'm also going to try to update Apache to 2.2.2 to see if that helps any

Will update this soon with anything I find
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question