Hello,
I've been stuck with a problem where LDAP hangs when it's trying to
authenticate.
I'm running Apache on Ubuntu 8.04, Hardy Heron. This problem occurs with
the Ubuntu version (both 32 and 64 bit) as well as compiled directly from
source. I can produce the problem in Apache 2.2.8 (from Ubuntu) and 2.2.10
(compiled from source). I posted about the problem on ubuntuforums.org a
few weeks ago but I didn't get any useful responses. I've searched the web
multiple times. Tonight I downloaded the source and built it, and I still
have the problem.
I've a <Location> in a certain site that needs to be ldap authenticated. It
doesn't get authenticated. Here is the location:
------------------------------
<Location /blah>
AuthzLDAPAuthoritative Off
AuthName "EWB Documents"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "cn=ewb,ou=Service Accounts,dc=rice,dc=edu"
AuthLDAPBindPassword *********
AuthLDAPURL "ldaps://ldap.rice.edu:636/ou=People,dc=rice,dc=edu?uid"
<Limit GET POST PROPFIND OPTIONS REPORT>
Require valid-user
</Limit>
</Location>
------------------------------
When I browse to http://site/blah, I get prompted for my username and
password. I've confirmed that this <Location> configuration is causing the
prompt, since when I remove the <Location>, I don't get prompted for a
username and password. After I type my username and password in and click
OK, nothing happens on the browser side. I can watch my browser send my
credentials back the server, and I can see the beginning of an LDAP
conversation using wireshark on the server. However, after the conversation
begins, it abruptly stops, and nothing happens. It just sits there.
I tested logging into the LDAP with a variation of the following (using a
hostname and port, but I don't remember the format and switches now):
Code:
ldapsearch -x -W -D "cn=ewb,ou=service accounts,dc=rice,dc=edu" -b
"ou=People,dc=rice,dc=edu" '(uid=XYZ)'
It prompts me for my password (the ***s in the above apache configuration),
then finds the user named XYZ.
So, in summary I can connect via ldaps and lookup a user at the command
line, but somewhere, apache fails.
I turned logging in apache to debug, and discovered that ldap doesn't log
much:
Code:
[Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
mod_mime_magic: can't read magic file /etc/apache2/conf/magic
[Wed Sep 17 20:07:10 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/lib/apache2/suexec)
[Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes of
entropy
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) servers for
SSL
[Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against Server:
Apache/2.2.8, Library: OpenSSL/0.9.8g
[Wed Sep 17 20:07:10 2008] [error] (2)No such file or directory:
mod_mime_magic: can't read magic file /etc/apache2/conf/magic
[Wed Sep 17 20:07:10 2008] [notice] Digest: generating secret for digest
authentication ...
[Wed Sep 17 20:07:10 2008] [notice] Digest: done
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging Shared
Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: ewb.rice.edu
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging Shared
Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: wiki.ewb.rice.edu
[Wed Sep 17 20:07:10 2008] [debug] util_ldap.c(1977): LDAP merging Shared
Cache conf: shm=0x80f2188 rmm=0x80f21b8 for VHOST: ewb.rice.edu
[Wed Sep 17 20:07:10 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Wed Sep 17 20:07:10 2008] [info] LDAP: SSL support available
[Wed Sep 17 20:07:10 2008] [info] Init: Seeding PRNG with 256 bytes of
entropy
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Wed Sep 17 20:07:10 2008] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(374): shmcb_init
allocated 512000 bytes of shared memory
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(554): entered
shmcb_init_memory()
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(576): for 512000
bytes, recommending 4266 indexes
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(619):
shmcb_init_memory choices follow
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(621): division_mask =
0x1F
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(623): division_offset
= 64
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(625): division_size =
15998
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(627): queue_size =
1604
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(629): index_num = 133
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(631): index_offset = 8
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(633): index_size = 12
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(635):
cache_data_offset = 8
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(637): cache_data_size
= 14386
[Wed Sep 17 20:07:10 2008] [debug] ssl_scache_shmcb.c(650): leaving
shmcb_init_memory()
[Wed Sep 17 20:07:10 2008] [info] Shared memory session cache initialised
[Wed Sep 17 20:07:10 2008] [info] Init: Initializing (virtual) servers for
SSL
[Wed Sep 17 20:07:10 2008] [info] mod_ssl/2.2.8 compiled against Server:
Apache/2.2.8, Library: OpenSSL/0.9.8g
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24788 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24788 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24789 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24789 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24790 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24790 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24791 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24791 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24792 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24792 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24793 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24793 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24794 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24794 for (*)
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1670): proxy: grabbed
scoreboard slot 0 in child 24795 for worker proxy:reverse
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1689): proxy: worker
proxy:reverse already initialized
[Wed Sep 17 20:07:10 2008] [debug] proxy_util.c(1778): proxy: initialized
single connection worker 0 in child 24795 for (*)
[Wed Sep 17 20:07:10 2008] [notice] Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6
PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
mod_perl/2.0.3 Perl/v5.8.8 configu
red -- resuming normal operations
Nothing is logged in the error log when I try to load the page requiring my
username and password.
Now here is where it gets a bit more complicated: If it's hanging waiting to
authenticate and I restart apache, the authentication succeeds, then apache
restarts just fine.
I don't know very much about the LDAP server. I know there are a number of
machines with apache that successfully authenticate against this ldap.
Has anyone had problems like this? Please help me. I can't find anyone who
knows enough about apache and ldap. I've been working at this for weeks now.
Thank you.
- Mike Benza
