[users@httpd] Problem report: ldap / apache 2.0.54: child process crashes after failed authentication

Mon, 27 Jun 2005 07:34:34 -0700 

Hi, 

We encounter a problem with an apache server in our system, when 
failing authentication with an Active Directory server.

Environment:
Suse linux ( kernel: vmlinuz-2.6.5-7.97-bigsmp )
apache 2.0.54, one patch applied ( attached )
openldap2-2.2.6-37.rpm
( integrated with subversion 1.2.0 )
integrated with Active Directory

Description:
Apache is providing DAV & authentication services in our subversion
setup. For authentication, an external Active Directory is queried. 
This runs very well, except some random crashes as described here.

Problem is, that at certain moments in time an httpd process will
crash: child pid 19732 exit signal Segmentation fault (11)

The way to reproduce it:
1. With a webbrowser, access a file that needs authentication ( in our
   case, in the subversion repository )
2. Provide a not-existing user and password
3. Apache will lookup the user on the AD server, but this will fail.
   ( normally ), asking the user again for user & password.   
4. Do another request ( user & password you type is not important here )
5. The process handling request of step 1 will crash. 

This problem doesn't happen very often, a few times a day for 50 users, 
but has a lot of impact, since it can happen on a long-running commit
to the subversion repository.

I've searched in bug reports and mailing lists, but didn't find anything
that resembled this problem. It seems to be related to freeing up 
resources?

If anybody has a patch, or a way to workaround this problem, please let 
me know.

I see that more of these types of problem reports exist, and people are 
Urged to wait for apache 2.1, which is now in beta. Can anyone tell me 
when it is supposed to be released?

regards,

Lieven.

Extract from the error.log file:
--------------------------------
[Thu Jun 23 16:19:35 2005] [warn] [client 10.102.65.39] [10137]
auth_ldap authenticate: 
   user govaerl authentication failed; URI /svn/test/trunk/test.txt 
   [ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
[Thu Jun 23 16:19:35 2005] [warn] [client 10.102.65.39] [9168] auth_ldap
authenticate: 
   user govaerl authentication failed; URI /svn/test/trunk/test.txt 
   [ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
[Thu Jun 23 16:19:35 2005] [notice] child pid 10137 exit signal
Segmentation fault (11)
[Thu Jun 23 16:21:04 2005] [warn] [client 10.102.65.39] [19732]
auth_ldap authenticate: 
   user govaerl authentication failed; URI /svn/test/trunk/test.txt 
   [ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
[Thu Jun 23 16:21:04 2005] [warn] [client 10.102.65.39] [19733]
auth_ldap authenticate: 
   user govaerl authentication failed; URI /svn/test/trunk/test.txt 
   [ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
[Thu Jun 23 16:21:04 2005] [warn] [client 10.102.65.39] [19733]
auth_ldap authenticate: 
   user govaerl authentication failed; URI /svn/test/trunk/test.txt 
   [ldap_simple_bind_s() to check user credentials failed][Invalid
credentials]
[Thu Jun 23 16:21:04 2005] [notice] child pid 19732 exit signal
Segmentation fault (11)

Extract from httpd.conf:
------------------------
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
<Location /svn>
  DAV svn
  SVNParentPath /test/repos

  # access control policy
  AuthzSVNAccessFile /test/svnaccess.conf

  # try anonymous access first, resort to real authentication if
necessary
  Satisfy Any
  Require valid-user

  # LDAP authentication
  AuthType Basic   
  AuthName "Subversion Repository"
  AuthLDAPEnabled on
  AuthLDAPURL "XXXXXXXXXXXXXXXX"

  AuthLDAPAuthoritative on
  AuthLDAPBindDN "XXXXXXXXXXXXXX"
  AuthLDAPBindPassword xxxxxxxxxxx
  Require valid-user 
</Location> 




STRICTLY PERSONAL AND CONFIDENTIAL
This message may contain confidential and proprietary material for the sole use 
of the intended recipient. Any review or distribution by others is strictly 
prohibited. If you are not the intended recipient please contact the sender and 
delete all copies.

Dit bericht is enkel bestemd voor de aangeduide ontvangers en kan 
vertrouwelijke informatie bevatten. Als u niet de ontvanger bent, dan mag u de 
inhoud van dit bericht niet bekendmaken noch kopiëren. Als u dit bericht per 
vergissing ontvangen heeft, gelieve er de afzender of De Post onmiddellijk van 
op de hoogte te brengen en het bericht vervolgens te verwijderen.

Ce message est uniquement destiné aux destinataires indiqués et peut contenir 
des informations confidentielles. Si vous n'êtes pas le destinataire, vous ne 
devez pas révéler le contenu de ce message ou en prendre copie. Si vous avez 
reçu ce message par erreur, veuillez en informer l'expéditeur, ou La Poste 
immédiatement, avant de le supprimer.

Index: util_ldap.c
===================================================================
--- util_ldap.c (revision 165194)
+++ util_ldap.c (working copy)
@@ -241,6 +241,8 @@
     int result = 0;
     int failures = 0;
     int version  = LDAP_VERSION3;
+    int rc = LDAP_SUCCESS;
+    struct timeval timeOut = {10,0};    /* 10 second connection timeout */

     util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(
                                 r->server->module_config, &ldap_module); @@ 
-317,6 +319,19 @@
         /* always default to LDAP V3 */
         ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);

+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+        if (st->connectionTimeout > 0) {
+            timeOut.tv_sec = st->connectionTimeout;
+        }
+
+        if (st->connectionTimeout >= 0) {
+            rc = ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, (void 
*)&timeOut);
+            if (APR_SUCCESS != rc) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                                 "LDAP: Could not set the connection timeout" 
);
+            }
+        }
+#endif
     }


@@ -1405,7 +1420,6 @@

     void *data;
     const char *userdata_key = "util_ldap_init";
-    struct timeval timeOut = {10,0};    /* 10 second connection timeout */

     /* util_ldap_post_config() will be called twice. Don't bother
      * going through all of the initialization on the first call @@ -1630,20 
+1644,6 @@
                          "LDAP: SSL support unavailable" );
     }

-#ifdef LDAP_OPT_NETWORK_TIMEOUT
-    if (st->connectionTimeout > 0) {
-        timeOut.tv_sec = st->connectionTimeout;
-    }
-
-    if (st->connectionTimeout >= 0) {
-        rc = ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, (void *)&timeOut);
-        if (APR_SUCCESS != rc) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-                             "LDAP: Could not set the connection timeout" );
-        }
-    }
-#endif
-
     return(OK);
 }

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to