Author |
|
sasha
Joined: 10 Oct 2007 Posts: 4
|
Posted: Wed 10 Oct '07 15:37 Post subject: ldap_simple_bind_s() failed][Unavailable] |
|
|
Since March 2006 there is a know problem with the Apache mod_ldap module: see http://issues.apache.org/bugzilla/show_bug.cgi?id=39095
Short summary:
Quote: |
Everything works fine but after a while when no authentications are performed ldap_simple_bind_s fails
with code 0x34 LDAP_UNAVAILABLE. This causes that the user is reprompted for his password.
...
|
This causes an "Internal Server" error reported from Apache to the user.
Read the whole story in ASF Bugzilla.
It seems that the problem occurs only with Active Directory.
Apparently one solution (workaround) to the problem is "... if mod_ldap would send a FIN-ACK when receiving a FIN and tear down the
connection completely.", but it seems that the Apache developers do not like that and their position is <MS AD is to be blamed!>
Other possible solution is to "patch mod_auth_ldap so that it also retries when the code is LDAP_UNAVAILABLE" (see comment #2 in http://issues.apache.org/bugzilla/show_bug.cgi?id=39095).
In our environment Apache is the frontend to Subversion and Active Directory is used to authenticate the users. Whereas an occasional "Internal Server" error from Apache is not a huge problem for a human user (after retrying once all works well) this causes SERIOUS problems for automated taskes, e.g. for Continuous Integration.
It would be great if somebody would prepare a tested mod_ldap module that always works with Active Directory Volunteers? |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 12 Oct '07 16:16 Post subject: |
|
|
re: "It would be great if somebody would prepare a tested mod_ldap module"
You don't mention which version of Apache you use, or where you got it.
If you happen to use Apache 2.2.6 built with Visual Studio 2005 (i.e. you use Apache 2.2.6 downloaded from Apache Lounge)
- perhaps you would be willing to do the testing yourself?
The change described in Bug 39095 Comment #2 is pretty trivial. Building a new mod_ldap.so and mod_authnz_ldap.so with VS2005 is no problem.
I don't use AD, so testing this change is something you would need to do.
Interested?
-tom- |
|
Back to top |
|
dstusynski
Joined: 19 Oct 2007 Posts: 4
|
Posted: Fri 19 Oct '07 16:46 Post subject: Re: ldap_simple_bind_s() failed][Unavailable] |
|
|
sasha wrote: | Since March 2006 there is a know problem with the Apache mod_ldap module: see http://issues.apache.org/bugzilla/show_bug.cgi?id=39095
Short summary:
Quote: |
Everything works fine but after a while when no authentications are performed ldap_simple_bind_s fails
with code 0x34 LDAP_UNAVAILABLE. This causes that the user is reprompted for his password.
...
|
It seems that the problem occurs only with Active Directory.
Other possible solution is to "patch mod_auth_ldap so that it also retries when the code is LDAP_UNAVAILABLE" (see comment #2 in http://issues.apache.org/bugzilla/show_bug.cgi?id=39095).
It would be great if somebody would prepare a tested mod_ldap module that always works with Active Directory Volunteers? |
While I can't provide the requested module, I can certainly verify that patching util_ldap.c to also check for LDAP_UNAVAILABLE is a solution as I've had to make this change for our Win Apaches.
I've been meaning to diff the patch and submit it to Apache so they hopefully fix it in future releases. |
|
Back to top |
|
sasha
Joined: 10 Oct 2007 Posts: 4
|
Posted: Tue 23 Oct '07 17:43 Post subject: |
|
|
tdonovan wrote: | re: "It would be great if somebody would prepare a tested mod_ldap module"
You don't mention which version of Apache you use, or where you got it.
If you happen to use Apache 2.2.6 built with Visual Studio 2005 (i.e. you use Apache 2.2.6 downloaded from Apache Lounge)
- perhaps you would be willing to do the testing yourself?
The change described in Bug 39095 Comment #2 is pretty trivial. Building a new mod_ldap.so and mod_authnz_ldap.so with VS2005 is no problem.
I don't use AD, so testing this change is something you would need to do.
Interested?
-tom- |
We use Apache 2.2.4 WITH SSL built with VS2005 (i.e. httpd-2.2.4-win32-x86-ssl.zip download from Apache Lounge).
Indeed I would be willing and delighted to do the testing and afterwards inform the community if all works as expected. I understand that the change is trivial, but we do not use VS2005, so if somebody (Tom?) can prepare the two modules I will certainly do the testing and report about the outcome. Would prefer to stay with 2.2.4 for the time being; is this a problem?
Thanks in advance! |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
|
Back to top |
|
sasha
Joined: 10 Oct 2007 Posts: 4
|
Posted: Wed 24 Oct '07 11:46 Post subject: |
|
|
Thanks for this Tom!
I replaced the two mentioned modules (mod_authnz_ldap.so & mod_ldap.so) built with the change Bug 39095 Comment #2. Since there is indeed a very minor change in mod_ldap from Apache 2.2.4 to 2.2.6, I decided to deploy and test the Apache 2.2.6 fix version on our Apache 2.2.4 installation.
The first outcome after rather superficial testing is positive. If all goes well in the next days, I will deploy the patch in our production Apache installation and after more thorough testing/observation (i.e. after the patch applied, sporadical "Internal Server" errors should not be reported again /clearly other unwished side effects also should not happen /) will post the results in this forum - please be patient for 1-2 weeks; we want to be sure that this fix works 100%!. |
|
Back to top |
|
sasha
Joined: 10 Oct 2007 Posts: 4
|
Posted: Tue 30 Oct '07 9:46 Post subject: |
|
|
I can confirm that the patch workes 100% (at least for us) - the Apache 2.2.6 fix version workes w/o problems with our Apache 2.2.4 installation.
Since we applied the mentioned modification we did not get a single "Internal Server" error.
Once again, thank you Tom for building the modules! |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Tue 30 Oct '07 19:10 Post subject: |
|
|
That's great!
Perhaps you could add another comment to Bug 39095 noting your positive results.
It would be helpful to attach the patch file that you tested with (file ldap_fix.patch in the Apache 2.2.6 fix .zip file), to make it clear exactly what was changed.
Be sure to check the patch box when you create the attachment, and also add the Keyword PatchAvailable to the bug in Bugzilla.
This can encourage the developers to prioritize the bug.
-tom- |
|
Back to top |
|
anneb
Joined: 01 Dec 2007 Posts: 1 Location: Amsterdam
|
Posted: Sat 01 Dec '07 3:42 Post subject: binary patch for apache httpd-2.2.6-win32_asf build |
|
|
Hi,
thanks for the patch. Unfortunately, the ApacheLounge binary patch does not work with the Apache Software Foundation (ASF) 2.2.6 VC6 binary build.
Error message:
httpd.exe: Syntax error on line xxx of conf/httpd.conf: Cannot load modules/mod_ldap.so into server: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
Possible solutions:
Solution #1: download and install the VC2005 build from Apache Lounge
OR
Solution #2: download the 2.2.6 apache source code, download the Microsoft Platform SDK for Windows Server 2003 R2, load the project into Visual Studio 6, add SDK include and lib directories to the project, apply the patch to the source code and build mod_authnz_ldap.so and mod_ldap.so
OR
Solution #3: download the VC6 version binary of the patch from http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip |
|
Back to top |
|
RSchone
Joined: 06 Dec 2007 Posts: 4
|
Posted: Thu 20 Dec '07 1:05 Post subject: I am having this same problem. |
|
|
I am running Apache 2.2.4 on Windows XP with the following configuration in my httpd.conf file.
LoadModule ssl_module modules/mod_ssl.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LDAPTrustedGlobalCert CERT_DER certs/dslx1.der
<Directory "C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\webDocs">
AuthType basic
AuthBasicProvider ldap
AuthName "REALM"
AuthLDAPURL ldaps://server.med.utah.edu:636/?uid?sub?(objectClass=*)
AuthLDAPBindDN cn=User,ou=Admin,o=UHSC
AUthLDAPBindPassword MyPassword
AuthzLDAPAuthoritative on
AuthLDAPRemoteUserIsDN off
require valid-user
</Directory>
When I startup my server I receive the following message in the log files.
[debug] mod_authnz_ldap.c(876): [5476] auth_ldap url parse: `ldaps://dslx1.med.utah.edu:636/?uid?sub?(objectClass=*)'
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(885): [5476] auth_ldap url parse: Host: server.med.utah.edu:636
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(887): [5476] auth_ldap url parse: Port: 636
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(889): [5476] auth_ldap url parse: DN:
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(891): [5476] auth_ldap url parse: attrib: uid
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(893): [5476] auth_ldap url parse: scope: subtree
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(898): [5476] auth_ldap url parse: filter: (objectClass=*)
[Wed Dec 19 15:50:48 2007] [debug] mod_authnz_ldap.c(972): LDAP: auth_ldap using SSL connections
[Wed Dec 19 15:50:48 2007] [info] Init: Seeding PRNG with 144 bytes of entropy
[Wed Dec 19 15:50:48 2007] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Wed Dec 19 15:50:48 2007] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Wed Dec 19 15:50:48 2007] [info] Init: Initializing (virtual) servers for SSL
[Wed Dec 19 15:50:48 2007] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.8e
[Wed Dec 19 15:50:48 2007] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK
[Wed Dec 19 15:50:48 2007] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.
When I try to login to the directory, I receive the following error message in the log file.
URI /webDocs [LDAP: ldap_simple_bind_s() failed][Server Down]
I am using authnz_ldap_module dated December 1, 2007 and ldap_module dated December 1, 2007. I retrived the updates from
http://www.anneb.dds.nl/httpd-2.2.6_ldappatch_win32_vc6.zip
Any suggestions on why this is not working? |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 20 Dec '07 4:22 Post subject: |
|
|
This doesn't seem to be the same as Apache Bug 39095 where working (non-SSL) connections fail after some time.
The problem may be your LDAPTrustedGlobalCert directive:LDAPTrustedGlobalCert CERT_DER certs/dslx1.der I don't think you want to use this directive on Windows.
For LDAP on Windows, certificates must be in the Windows Registry - not in certificate files.
There is a note in the mod_ldap docs about this.
-tom- |
|
Back to top |
|
RSchone
Joined: 06 Dec 2007 Posts: 4
|
Posted: Thu 20 Dec '07 17:46 Post subject: Removed the Cert |
|
|
I removed the cert and imported into my system through I.E. I am still seeing the same problem. Does anyone know how to import that cert on Windows XP? |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Fri 21 Dec '07 21:46 Post subject: |
|
|
re "I removed the cert ... I am still seeing the same problem"
You completely removed the LDAPTrustedGlobalCert directive from your httpd.conf, and you are still seeing this message in your log?LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead.
-tom- |
|
Back to top |
|
Jacek Lyszkowski
Joined: 06 Jan 2009 Posts: 1 Location: Warszawa
|
Posted: Tue 06 Jan '09 21:33 Post subject: Confusing error message and importing cert |
|
|
I had the same problem. The message in log apears even with no directives pointing to client or trusted certs. Maybe the problem is with calling routine option_set_cert (see: http://svn.apache.org/repos/asf/apr/apr-util/trunk/ldap/apr_ldap_option.c). Probably it is called always when directive LDAPVerifyServerCert is set to "on" (which is the default). And should be called only when there are any certs to process (argument invalue contains any entries).
Anyway, in Windows, above error should not affect SSL connections to LDAP server, cause Windows uses system cert stores to verify LDAP server certificate.
My configuration is Win2003 with the same Apache modules loaded. Apache is 2.2.11, but it should not matter. Apache runs as a service on system account. I've imported trusted certificate to "Trusted Root Certification Authorities" for "Computer Account". This is important - import by IE probably stored cert for "My User Account" or "Service Account". This can be a reason - previously I've imported cert by doubleclicking on it and it was stored for "My User Account". In this case error remained and Apache could not connect to LDAP by SSL ("Server down"). After importing cert for "Computer Account", connection over SSL works fine (although log message LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. is still generated).
When Apache runs on user account (non system) or is not a service, then maybe importing cert for this "User Account" would be enough, but I haven't tested this yet.
To import cert to "Computer Account" you have to run Microsoft Management Console (mmc.exe). Then add certificates snap-in (File->Add/Remove snap-in...->Add..., then choose "Certificates" from list, then Add... an then choose proper Account - in my case "Computer Account"). Then Next, Close, OK and so on... Then (in mmc window tree) you have to expand "Trusted Root Certification Authorities" and right click on "Certificates". Then All tasks->Import...
Above procedure of import should work also on XP, but I haven't tested Apache on it.
Hope it will help:) |
|
Back to top |
|