Greetings, I understand that apache2, using the authnz_ldap module, prefers to maintain persistent connections to a given LDAP server. While this is contrary to the way LDAP is intended to be used (e.g: connections without the UNBIND operation), I am ok with this.
Our LDAP servers themselves have no timeout, nor a timelimit, on operations. Doing a persistent bind against the LDAP server in question, (by hand) produces a connection that persists as long as necessary. Apache2, however, feels differently. When pointed directly at an LDAP server, after some time, we see this (and users begin complaining): [client 192.168.168.40] [18485] auth_ldap authenticate: user joe authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect error], referer: https://svn.example.com/ Invariably restarting apache2 fixes the problem, but it always returns. HOWEVER, if we take LDAP StartTLS out of the equation, and we use something like stunnel4 (thereby telling apache2 to "not worry about using encryption while talking to LDAP"), the problem goes away and does not return. I'll point out that the LDAP server-side SSL certificates are legitimate, are not expired, and are used by other things that require certificates to be in-order. We are stumped. Our LDAP-related apache2 configuration (which generates no errors upon launch, nor configtest): ## /etc/apache2/sites-available/svn LDAPSharedCacheSize 500000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 <VirtualHost *:80> ServerAdmin webmas...@example.com ServerName svn.example.com RewriteEngine on RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L] ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost> <VirtualHost *:443> ServerAdmin webmas...@example.com ServerName svn.example.com DocumentRoot /var/www SSLEngine on SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key SSLCACertificateFile /etc/ssl/certs/ca-example.cert RewriteEngine on RewriteCond %{SERVER_NAME} !=svn.example.com RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L] ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined <Location /cache-info> SetHandler ldap-status </Location> <Location /repo> DAV svn SVNPath /repo/svn AuthType Basic AuthName "Our Repository" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com AuthLDAPBindPassword password AuthLDAPURL ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*)) STARTTLS Require valid-user </Location> </VirtualHost> Modules loaded: alias.load auth_basic.load authn_file.load authnz_ldap.load authz_default.load authz_groupfile.load authz_host.load authz_user.load autoindex.load cgi.load dav.load dav_svn.conf dav_svn.load dir.conf dir.load env.load ldap.load mime.load negotiation.load rewrite.load setenvif.load ssl.load status.load We would appreciate some insight into this - thank you. -GF
