Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.4: LDAP authentication very slow |
|
| Author |
|
mahohmei
Joined: 03 Feb 2020
Posts: 1
Location: USA, Tallahassee, FL
|
 Posted: Mon 03 Feb '20 15:13 Post subject: Apache 2.4: LDAP authentication very slow |
 |
|
Apache 2.4.6
RHEL 7.7
This is a pretty new (about a week old) problem. My department Intranet uses authentication against the university's Active Directory environment, and authentication for end-users takes over 30 seconds. Subsequent page loads are nearly-instant, and after 15-30 minutes, the problem is back.
| Code: | <Directory /var/www/html/intranet>
AuthType Basic
AuthName "Restricted files"
AuthBasicProvider ldap
AuthLDAPBindDN CN=dept-binder,OU=Generic-Logon,OU=Generic,DC=example,DC=edu
AuthLDAPBindPassword lamepassword
AuthLDAPURL ldaps://ldap-ad.example.edu:636/dc=example,dc=edu?sAMAccountName?sub
<RequireAny>
require ldap-group CN=ug-dept-intranet,OU=Deoartment,OU=Dept-Groups,DC=example,DC=edu
</RequireAny>
</Directory>
|
Here are some relevant lines from error_log, showing an authentication take 37 seconds:
| Code: | AH02034: Initial (No.1) HTTPS request received for child 36 (server dept.example.edu:443)
AH01626: authorization result of Require ldap-group CN=ug-psy-employees,OU=Dynamic,OU=Psychology,OU=FSU-Dept-Groups,DC=fsu,DC=edu: denied (no authenticated user yet)
AH01626: authorization result of Require ldap-group CN=ug-dept-intranet,OU=Dept,OU=Dept-Groups,DC=example,DC=edu: denied (no authenticated user yet)
AH01691: auth_ldap authenticate: using URL ldaps://ldap-ad.example.edu:636/dc=example,dc=edu?sAMAccountName?sub
AH02001: Connection closed to child 11 with standard shutdown (server dept.example.edu:443)
# 37 seconds pass
AH01697: auth_ldap authenticate: accepting jsmith
AH01713: auth_ldap authorize: require group: testing for group membership in "CN=ug-dept-intranet,OU=Department,OU=Dept-Groups,DC=example,DC=edu"
AH01714: auth_ldap authorize: require group: testing for member: CN=jsmith,OU=PEOPLE,DC=example,DC=edu (CN=ug-dept-intranet,OU=Department,OU=Dept-Groups,DC=example,DC=edu)
AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (adding to cache)][6 - Compare True] |
|
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Sat 08 Feb '20 8:00 Post subject: |
|
|
Hello,
sound like a timeout of ~30 seconds which is cached for 15-30 minutes. Would be interesting what is going on on the wire within these 30 seconds (tcpdump/Wireshark).
Within my text-LDAP-config I have additional three lines where the last one was commented as "to be used with apache2.4", but I can't remember why I have added this comment:
| Code: | AuthLDAPRemoteUserIsDN On
AuthLDAPBindAuthoritative On
LDAPReferrals Off |
Maybe you can check if these config-lines help or what happens between your webserver and the LDAP-server (looks like an Windows-AD-server)?
Best regards
Matthias |
|
| Back to top |
|
marek_g
Joined: 07 Mar 2021
Posts: 1
Location: Warsaw, Poland
|
| Posted: Sun 07 Mar '21 23:27 Post subject: |
|
|
I've had exactly the same problem on Fedora 33 with Apache 2.4 and I've solved it by adding
| Code: | | LDAPConnectionTimeout 1 |
to the Apache global configuration:
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html
I'm using LDAP with TLS and I suspect that delay was caused by Apache trying to verify Active Directory/DC certificate. |
|
| Back to top |
|
|
|
|
|
|
