You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2007/11/13 00:26:53 UTC
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect repeatedly without doing LDAP
On Nov 12, 2007 4:23 PM, Mark H. Wood <mw...@iupui.edu> wrote:
> httpd is returning 500 to the client. Log shows:
>
> [Mon Nov 12 15:59:35 2007] [warn] [client 127.0.0.1] [9159] auth_ldap
> authenticate: user mwood authentication failed; URI
> /svn/dspace/IDeA/trunk [LDAP: ldap_simple_bind_s() failed][Can't
> contact LDAP server]
>
> Tracing the network traffic shows that httpd establishes and then
> immediately tears down a connection with the directory service many
> times, without ever initiating an LDAP session:
Are you able to try the same LDAP server w/o SSL?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
*sigh* False alarm. I attached strace to the httpd processes and saw
that some bit of code gives up immediately when it trips over a broken
symlink in the directory that holds SSL root certificates.
Regenerating the links (via update-ca-certificates -- this is on
Gentoo Linux) cured that problem, and things are working again.
Now I need to track down just which layer of software (OpenLDAP?
OpenSSL? HTTPD?) is failing to report why it gave up.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
Another observation: I changed the AuthLDAPURL to '"ldap:..." STARTTLS',
gathering from the wording in the manual that mod_authnz_ldap might
only do LDAPS through the Netscape SDK while I'm using OpenLDAP:
Support for LDAP over SSL (requires the Netscape SDK) or TLS
(requires the OpenLDAP 2.x SDK or Novell LDAP SDK).
Now the LDAP layer actually speaks. httpd sends a START_TLS extended
request, and ADS responds positively. Then, without any attempt to
bind, let alone query, httpd sends an LDAP unbind and begins tearing
down the TCP connection.
No. Time Source Destination Protocol Info
1 0.000000 134.68.190.58 134.68.220.153 TCP 45637 > ldap [SYN] Seq=0 Len=0 MSS=1460 TSV=96846395 TSER=0 WS=7
2 0.000268 134.68.220.153 134.68.190.58 TCP ldap > 45637 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
3 0.000331 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=96846395 TSER=0
4 0.001346 134.68.190.58 134.68.220.153 LDAP
5 0.001961 134.68.220.153 134.68.190.58 LDAP extendedResp(1)
6 0.002016 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=32 Ack=47 Win=5888 Len=0 TSV=96846395 TSER=484044
7 0.003463 134.68.190.58 134.68.220.153 LDAP unbindRequest(2)
8 0.003552 134.68.190.58 134.68.220.153 TCP 45637 > ldap [FIN, ACK] Seq=39 Ack=47 Win=5888 Len=0 TSV=96846396 TSER=484044
9 0.003784 134.68.220.153 134.68.190.58 TCP ldap > 45637 [ACK] Seq=47 Ack=40 Win=65497 Len=0 TSV=484044 TSER=96846396
10 0.003962 134.68.220.153 134.68.190.58 TCP ldap > 45637 [FIN, ACK] Seq=47 Ack=40 Win=65497 Len=0 TSV=484044 TSER=96846396
11 0.004009 134.68.190.58 134.68.220.153 TCP 45637 > ldap [ACK] Seq=40 Ack=48 Win=5888 Len=0 TSV=96846396 TSER=484044
It's as though the LDAP auth code gets all set to bind, then discovers
some error which goes totally unreported, and drops the connection as failed.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Tue, Nov 13, 2007 at 09:38:49AM -0500, Eric Covener wrote:
> On Nov 13, 2007 9:24 AM, Mark H. Wood <mw...@iupui.edu> wrote:
>
> > > Are you able to try the same LDAP server w/o SSL?
> >
> > I just did, and it works. I'd welcome suggestions as to how I can get
> > it working with SSL, as I don't want to be throwing cleartext
> > passwords across the wire.
> >
>
> if you look at things in wireshark/ethereal. and force it to formas as
> SSL, do you see anything alarming?
I suppose it's alarming that I see no SSL handshake at all. httpd
opens a TCP connection and closes it immediately. There are no
application-layer packets at all. SYN/SYN-ACK/ACK, FIN.
> Can you handshake w/ your ldaps:// server using the openssl command
> line client, passing the same /etc/ssl/certs via -CApath?
Yes.
This setup was working for months using httpd 2.0, although I see that
I asked about the same behavior when first setting up 2.0 and then it
cleared up for no apparent reason.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect repeatedly without doing LDAP
Posted by Eric Covener <co...@gmail.com>.
On Nov 13, 2007 9:24 AM, Mark H. Wood <mw...@iupui.edu> wrote:
> > Are you able to try the same LDAP server w/o SSL?
>
> I just did, and it works. I'd welcome suggestions as to how I can get
> it working with SSL, as I don't want to be throwing cleartext
> passwords across the wire.
>
if you look at things in wireshark/ethereal. and force it to formas as
SSL, do you see anything alarming?
Can you handshake w/ your ldaps:// server using the openssl command
line client, passing the same /etc/ssl/certs via -CApath?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] 2.2.6 mod_authnz_ldap connect/disconnect
repeatedly without doing LDAP
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
On Mon, Nov 12, 2007 at 06:26:53PM -0500, Eric Covener wrote:
> On Nov 12, 2007 4:23 PM, Mark H. Wood <mw...@iupui.edu> wrote:
> > httpd is returning 500 to the client. Log shows:
> >
> > [Mon Nov 12 15:59:35 2007] [warn] [client 127.0.0.1] [9159] auth_ldap
> > authenticate: user mwood authentication failed; URI
> > /svn/dspace/IDeA/trunk [LDAP: ldap_simple_bind_s() failed][Can't
> > contact LDAP server]
> >
> > Tracing the network traffic shows that httpd establishes and then
> > immediately tears down a connection with the directory service many
> > times, without ever initiating an LDAP session:
>
> Are you able to try the same LDAP server w/o SSL?
I just did, and it works. I'd welcome suggestions as to how I can get
it working with SSL, as I don't want to be throwing cleartext
passwords across the wire.
I just raised LogLevel to debug. It logged seven identical attempts
to authenticate: one, and then five seconds later six within the
space of a single second. Nothing else was logged but the "can't
contact LDAP server" (after it opened and discarded seven perfectly
good TCP connections unused!) It never even tried to start the SSL
handshake.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.