I expect a response to this. I submitted this over a month ago.. Get with the program and answer.
On Mon, Apr 16, 2012 at 8:19 PM, Grope Fruit <gropefr...@gmail.com> wrote: > Greetings, > > I understand that apache2, using the authnz_ldap module, prefers to > maintain persistent connections to a given LDAP server. While this is > contrary to the way LDAP is intended to be used (e.g: connections without > the UNBIND operation), I am ok with this. > > Our LDAP servers themselves have no timeout, nor a timelimit, on > operations. Doing a persistent bind against the LDAP server in question, > (by hand) produces a connection that persists as long as necessary. > > Apache2, however, feels differently. When pointed directly at an LDAP > server, after some time, we see this (and users begin complaining): > > [client 192.168.168.40] [18485] auth_ldap authenticate: user joe > authentication failed; URI /repo/ [LDAP: ldap_start_tls_s() failed][Connect > error], referer: https://svn.example.com/ > > Invariably restarting apache2 fixes the problem, but it always returns. > > HOWEVER, if we take LDAP StartTLS out of the equation, and we use > something like stunnel4 (thereby telling apache2 to "not worry about using > encryption while talking to LDAP"), the problem goes away and does not > return. I'll point out that the LDAP server-side SSL certificates are > legitimate, are not expired, and are used by other things that require > certificates to be in-order. > > We are stumped. > > > > Our LDAP-related apache2 configuration (which generates no errors upon > launch, nor configtest): > > ## /etc/apache2/sites-available/svn > > LDAPSharedCacheSize 500000 > LDAPCacheEntries 1024 > LDAPCacheTTL 600 > LDAPOpCacheEntries 1024 > LDAPOpCacheTTL 600 > > <VirtualHost *:80> > > ServerAdmin webmas...@example.com > ServerName svn.example.com > > RewriteEngine on > RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L] > > ErrorLog /var/log/apache2/error.log > CustomLog /var/log/apache2/access.log combined > > </VirtualHost> > > > <VirtualHost *:443> > > ServerAdmin webmas...@example.com > ServerName svn.example.com > > DocumentRoot /var/www > > SSLEngine on > SSLCertificateFile /etc/ssl/certs/wildcard.example.com.crt > SSLCertificateKeyFile /etc/ssl/private/wildcard.example.com.key > SSLCACertificateFile /etc/ssl/certs/ca-example.cert > RewriteEngine on > RewriteCond %{SERVER_NAME} !=svn.example.com > RewriteRule ^/(.*)$ https://svn.example.com/$1 [R,L] > > ErrorLog /var/log/apache2/error.log > CustomLog /var/log/apache2/access.log combined > > <Location /cache-info> > SetHandler ldap-status > </Location> > > <Location /repo> > DAV svn > SVNPath /repo/svn > AuthType Basic > AuthName "Our Repository" > AuthBasicProvider ldap > AuthzLDAPAuthoritative off > AuthLDAPBinddn uid=admin,cn=users,dc=example,dc=com > AuthLDAPBindPassword password > AuthLDAPURL > ldap://the.ldap.server:389/cn=users,dc=example,dc=com??one?(&(objectClass=posixAccount)(|(objectClass=svnUser)(objectClass=svnAdmin))(uid=*)) > STARTTLS > Require valid-user > </Location> > > </VirtualHost> > > Modules loaded: > > alias.load > auth_basic.load > authn_file.load > authnz_ldap.load > authz_default.load > authz_groupfile.load > authz_host.load > authz_user.load > autoindex.load > cgi.load > dav.load > dav_svn.conf > dav_svn.load > dir.conf > dir.load > env.load > ldap.load > mime.load > negotiation.load > rewrite.load > setenvif.load > ssl.load > status.load > > We would appreciate some insight into this - thank you. > > -GF >