[users@httpd] Can't contact LDAP server

Tue, 23 Jan 2018 07:14:00 -0800 

Hello all,
I'm doing SSO using auth_kerb_module with Active Directory and authnz_ldap_module as fallback (Apache 2.4, FreeBSD 11.1, Windows Server 2012R2): 

PassEnv MACHINE_DNSNAME
PassEnv MACHINE_DOMAINNAME_UPPER
<IfModule auth_kerb_module>
       LoadFile /usr/lib/libgssapi_krb5.so.10
       LoadFile /usr/lib/libgssapi_spnego.so.10
       AuthType Kerberos
       AuthBasicAuthoritative off
       KrbAuthRealm ${MACHINE_DOMAINNAME_UPPER}
       KrbServiceName HTTP/${MACHINE_DNSNAME}@${MACHINE_DOMAINNAME_UPPER}
       Krb5Keytab /var/www/passwords/auth_kerb.keytab
       KrbMethodNegotiate On
       KrbMethodK5Passwd Off
       KrbSaveCredentials On
       KrbAuthoritative On
       KrbLocalUserMapping On
</IfModule>
<IfModule authnz_ldap_module>
       <IfModule !auth_kerb_module>
               AuthType Basic
               AuthBasicAuthoritative off
               <IfVersion < 2.3>
                       AuthzLDAPAuthoritative on
               </IfVersion>
               AuthBasicProvider ldap
       </IfModule>
       <IfModule auth_kerb_module>
               KrbAuthoritative Off
               KrbMethodK5Passwd On
       </IfModule>

       AuthLDAPURL 
ldaps://charlieroot.de/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)

       AuthLDAPBindDN "someuser"
       AuthLDAPBindPassword "somepass"
       <IfVersion < 2.3>
               AuthzLDAPAuthoritative on
       </IfVersion>
       AuthLDAPRemoteUserIsDN off
</IfModule>


On a non-domain member this works fine initially but after a certain time I 
get an error that the LDAP server cannot be contacted anymore (it is 
definitely available):


[helmut@BSDHelmut ~]$ sudo tail -100f /var/www/logs/error_log | grep ldap

Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 
34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626: 
authorization result of Require ldap-group 
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 
authenticated user yet), referer: https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685344768] mod_authnz_ldap.c(518): [client 192.168.124.200:58889] AH01691: 
auth_ldap authenticate: using URL 
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*), 
referer: https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685344768] mod_authnz_ldap.c(615): [client 192.168.124.200:58889] AH01697: 
auth_ldap authenticate: accepting helmut, referer: 
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685344768] mod_authnz_ldap.c(915): [client 192.168.124.200:58889] AH01713: 
auth_ldap authorize: require group: testing for group membership in 
"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de", referer: 
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685344768] mod_authnz_ldap.c(922): [client 192.168.124.200:58889] AH01714: 
auth_ldap authorize: require group: testing for member: CN=Helmut 
Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de 
(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de), referer: 
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685344768] mod_authnz_ldap.c(931): [client 192.168.124.200:58889] AH01715: 
auth_ldap authorize: require group: authorization successful (attribute 
member) [Comparison true (adding to cache)][6 - Compare True], referer: 
https://nagios.mydomain.local/side.php
Jan 23 15:06:06 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 
34685344768] mod_authz_core.c(806): [client 192.168.124.200:58889] AH01626: 
authorization result of Require ldap-group 
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted, referer: 
https://nagios.mydomain.local/side.php

[...]

Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 
34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626: 
authorization result of Require ldap-group 
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 
authenticated user yet)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685034752] mod_authnz_ldap.c(518): [client 192.168.124.200:59135] AH01691: 
auth_ldap authenticate: using URL 
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685034752] mod_authnz_ldap.c(615): [client 192.168.124.200:59135] AH01697: 
auth_ldap authenticate: accepting helmut
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685034752] mod_authnz_ldap.c(915): [client 192.168.124.200:59135] AH01713: 
auth_ldap authorize: require group: testing for group membership in 
"CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de"
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685034752] mod_authnz_ldap.c(922): [client 192.168.124.200:59135] AH01714: 
auth_ldap authorize: require group: testing for member: CN=Helmut 
Ritter,OU=User,OU=mydomain,OU=Organisations,DC=mydomain,DC=de 
(CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de)
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685034752] mod_authnz_ldap.c(931): [client 192.168.124.200:59135] AH01715: 
auth_ldap authorize: require group: authorization successful (attribute 
member) [Comparison true (cached)][6 - Compare True]
Jan 23 15:36:49 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 
34685034752] mod_authz_core.c(806): [client 192.168.124.200:59135] AH01626: 
authorization result of Require ldap-group 
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: granted
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authz_core:debug] [pid 9091:tid 
34685027072] mod_authz_core.c(806): [client 192.168.124.200:59146] AH01626: 
authorization result of Require ldap-group 
CN=SSO,OU=Common,OU=Organisations,DC=mydomain,DC=de: denied (no 
authenticated user yet)
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:debug] [pid 9091:tid 
34685027072] mod_authnz_ldap.c(518): [client 192.168.124.200:59146] AH01691: 
auth_ldap authenticate: using URL 
ldaps://mydomain.local/DC=mydomain,DC=de?sAMAccountName?sub?(objectClass=*)
Jan 23 15:38:21 BSDHelmut httpd[9091]: [authnz_ldap:info] [pid 9091:tid 
34685027072] [client 192.168.124.200:59146] AH01695: auth_ldap authenticate: 
user helmut authentication failed; URI /nagios/cgi-bin/status.cgi [LDAP: 
ldap_simple_bind() failed][Can't contact LDAP server]

^C
[helmut@BSDHelmut ~]$

Restarting Apache or waiting an hour or so fixes this.

Any ideas?


Thank you! 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org















    











					Reply via email to