You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Mark H. Wood" <mw...@IUPUI.Edu> on 2007/11/12 22:23:05 UTC
[users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect repeatedly without doing
LDAP
httpd is returning 500 to the client. Log shows:
[Mon Nov 12 15:59:35 2007] [warn] [client 127.0.0.1] [9159] auth_ldap
authenticate: user mwood authentication failed; URI
/svn/dspace/IDeA/trunk [LDAP: ldap_simple_bind_s() failed][Can't
contact LDAP server]
Tracing the network traffic shows that httpd establishes and then
immediately tears down a connection with the directory service many
times, without ever initiating an LDAP session:
No. Time Source Destination
Protocol Info
1 0.000000 134.68.190.58 134.68.220.153 TCP
47964 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=57767109 TSER=0
WS=7
2 0.000643 134.68.220.153 134.68.190.58 TCP
ldaps > 47964 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
WS=0 TSV=0 TSER=0
3 0.000729 134.68.190.58 134.68.220.153 TCP
47964 > ldaps [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=57767109
TSER=0
4 0.010175 134.68.190.58 134.68.220.153 TCP
47964 > ldaps [FIN, ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=57767112
TSER=0
5 0.010960 134.68.220.153 134.68.190.58 TCP
ldaps > 47964 [ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=1204571
TSER=57767112
6 0.011068 134.68.220.153 134.68.190.58 TCP
ldaps > 47964 [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=1204571
TSER=57767112
7 0.011115 134.68.190.58 134.68.220.153 TCP
47964 > ldaps [ACK] Seq=2 Ack=2 Win=5888 Len=0 TSV=57767112
TSER=1204571
8 0.015227 134.68.190.58 134.68.220.153 TCP
47965 > ldaps [SYN] Seq=0 Len=0 MSS=1460 TSV=57767113 TSER=0
WS=7
9 0.017070 134.68.220.153 134.68.190.58 TCP
ldaps > 47965 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
WS=0 TSV=0 TSER=0
10 0.017185 134.68.190.58 134.68.220.153 TCP
47965 > ldaps [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=57767114
TSER=0
11 0.017560 134.68.190.58 134.68.220.153 TCP
47965 > ldaps [FIN, ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=57767114
TSER=0
12 0.017783 134.68.220.153 134.68.190.58 TCP
ldaps > 47965 [ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=1204571
TSER=57767114
13 0.018750 134.68.220.153 134.68.190.58 TCP
ldaps > 47965 [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=1204571
TSER=57767114
The above continues for about 97 packets total. Relevant
configuration:
<IfDefine AUTH_LDAP>
<IfModule authnz_ldap_module>
LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs
</IfModule>
</IfDefine>
<IfDefine SVN>
<IfModule !mod_dav_svn.c>
LoadModule dav_svn_module modules/mod_dav_svn.so
</IfModule>
<Location /svn>
DAV svn
SVNPath /var/svn
AuthType Basic
AuthBasicProvider ldap
AuthName ADS
AuthLDAPBindDN "a DN"
AuthLDAPBindPassword "a password"
AuthLDAPURL "ldaps://IU-MSSG-ADSDC01.ADS.IU.Edu/ou=Accounts,DC=ads,DC=iu,DC=edu?CN?one?"
AuthzLDAPAuthoritative Off
Require ldap-user user1 user2
Require ldap-user user3 user4
Require ldap-user user5 user6 user7
</Location>
<Directory /var/svn>
Order Deny,Allow
Deny from all
Allow from localhost 127.0.0.1 ::1
Allow from johncock.ulib.iupui.edu
Allow from 134.68.171.0/27
Allow from 134.68.172.0/24
</Directory>
<IfDefine SVN_AUTHZ>
<IfModule !mod_authz_svn.c>
LoadModule authz_svn_module
modules/mod_authz_svn.so
</IfModule>
</IfDefine>
</IfDefine>
How to proceed?
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
*sigh* False alarm. I attached strace to the httpd processes and saw
that some bit of code gives up immediately when it trips over a broken
symlink in the directory that holds SSL root certificates.
Regenerating the links (via update-ca-certificates -- this is on
Gentoo Linux) cured that problem, and things are working again.
Now I need to track down just which layer of software (OpenLDAP?
OpenSSL? HTTPD?) is failing to report why it gave up.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
Another observation: I changed the AuthLDAPURL to '"ldap:..." STARTTLS',
gathering from the wording in the manual that mod_authnz_ldap might
only do LDAPS through the Netscape SDK while I'm using OpenLDAP:
Support for LDAP over SSL (requires the Netscape SDK) or TLS
(requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
Now the LDAP layer actually speaks. httpd sends a START_TLS extended
request, and ADS responds positively. Then, without any attempt to
bind, let alone query, httpd sends an LDAP unbind and begins tearing
down the TCP connection.
No. Time Source Destination Protocol Info
1 0.000000 134.68.190.58 134.68.220.153 TCP 45637 > ldap [SYN] Seq=0 Len=0 MSS=1460 TSV=96846395 TSER=0 WS=7
2 0.000268 134.68.220.153 134.68.190.58 TCP ldap > 45637 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
3 0.000331 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=96846395 TSER=0
4 0.001346 134.68.190.58 134.68.220.153 LDAP
5 0.001961 134.68.220.153 134.68.190.58 LDAP extendedResp(1)
6 0.002016 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=32 Ack=47 Win=5888 Len=0 TSV=96846395 TSER=484044
7 0.003463 134.68.190.58 134.68.220.153 LDAP unbindRequest(2)
8 0.003552 134.68.190.58 134.68.220.153 TCP 45637 > ldap [FIN, ACK] Seq=39 Ack=47 Win=5888 Len=0 TSV=96846396 TSER=484044
9 0.003784 134.68.220.153 134.68.190.58 TCP ldap > 45637 [ACK] Seq=47 Ack=40 Win=65497 Len=0 TSV=484044 TSER=96846396
10 0.003962 134.68.220.153 134.68.190.58 TCP ldap > 45637 [FIN, ACK] Seq=47 Ack=40 Win=65497 Len=0 TSV=484044 TSER=96846396
11 0.004009 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=40 Ack=48 Win=5888 Len=0 TSV=96846396 TSER=484044
It's as though the LDAP auth code gets all set to bind, then discovers
some error which goes totally unreported, and drops the connection as failed.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Tue, Nov 13, 2007 at 09:38:49AM -0500, Eric Covener wrote:
> On Nov 13, 2007 9:24 AM, Mark H. Wood <mw...@iupui.edu> wrote:
>
> > > Are you able to try the same LDAP server w/o SSL?
> >
> > I just did, and it works. I'd welcome suggestions as to how I can get
> > it working with SSL, as I don't want to be throwing cleartext
> > passwords across the wire.
> >
>
> if you look at things in wireshark/ethereal. and force it to formas as
> SSL, do you see anything alarming?
I suppose it's alarming that I see no SSL handshake at all. httpd
opens a TCP connection and closes it immediately. There are no
application-layer packets at all. SYN/SYN-ACK/ACK, FIN.
> Can you handshake w/ your ldaps:// server using the openssl command
> line client, passing the same /etc/ssl/certs via -CApath?
Yes.
This setup was working for months using httpd 2.0, although I see that
I asked about the same behavior when first setting up 2.0 and then it
cleared up for no apparent reason.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect repeatedly without doing LDAP
Posted by Eric Covener <co...@gmail.com>.
On Nov 13, 2007 9:24 AM, Mark H. Wood <mw...@iupui.edu> wrote:
> > Are you able to try the same LDAP server w/o SSL?
>
> I just did, and it works. I'd welcome suggestions as to how I can get
> it working with SSL, as I don't want to be throwing cleartext
> passwords across the wire.
>
if you look at things in wireshark/ethereal. and force it to formas as
SSL, do you see anything alarming?
Can you handshake w/ your ldaps:// server using the openssl command
line client, passing the same /etc/ssl/certs via -CApath?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Mon, Nov 12, 2007 at 06:26:53PM -0500, Eric Covener wrote:
> On Nov 12, 2007 4:23 PM, Mark H. Wood <mw...@iupui.edu> wrote:
> > httpd is returning 500 to the client. Log shows:
> >
> > [Mon Nov 12 15:59:35 2007] [warn] [client 127.0.0.1] [9159] auth_ldap
> > authenticate: user mwood authentication failed; URI
> > /svn/dspace/IDeA/trunk [LDAP: ldap_simple_bind_s() failed][Can't
> > contact LDAP server]
> >
> > Tracing the network traffic shows that httpd establishes and then
> > immediately tears down a connection with the directory service many
> > times, without ever initiating an LDAP session:
>
> Are you able to try the same LDAP server w/o SSL?
I just did, and it works. I'd welcome suggestions as to how I can get
it working with SSL, as I don't want to be throwing cleartext
passwords across the wire.
I just raised LogLevel to debug. It logged seven identical attempts
to authenticate: one, and then five seconds later six within the
space of a single second. Nothing else was logged but the "can't
contact LDAP server" (after it opened and discarded seven perfectly
good TCP connections unused!) It never even tried to start the SSL
handshake.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect repeatedly without doing LDAP
Posted by Eric Covener <co...@gmail.com>.
On Nov 12, 2007 4:23 PM, Mark H. Wood <mw...@iupui.edu> wrote:
> httpd is returning 500 to the client. Log shows:
>
> [Mon Nov 12 15:59:35 2007] [warn] [client 127.0.0.1] [9159] auth_ldap
> authenticate: user mwood authentication failed; URI
> /svn/dspace/IDeA/trunk [LDAP: ldap_simple_bind_s() failed][Can't
> contact LDAP server]
>
> Tracing the network traffic shows that httpd establishes and then
> immediately tears down a connection with the directory service many
> times, without ever initiating an LDAP session:
Are you able to try the same LDAP server w/o SSL?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org