You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "J.D." <ra...@gmail.com> on 2016/05/03 01:22:50 UTC
[users@httpd] Apache-2.2 with LDAP authentication keeps spinning after authentication
completes
Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips
Using the following sample Directory block, the Apache LDAP authentication works
just fine, but when the web page is displayed - the activity spinner is spinning
and the status bar shows "Read <hostname>". Without the Apache LDAP
authentication, neither of the above symptoms appear/occur. It is almost like
something doesn't complete/finish, but I cannot determine what causes this.
There are no messages in the HTTPD error logs relative to this situation.
<Directory "/var/www/html/directory/">
SSLRequireSSL
AllowOverride None
Allow from 127.0.0.1
Allow from localhost
Allow from 192.168.56.0/24
# uncomment following line to force all frontend access
# to require userid/password authentication via LDAP
include conf/WebFrontendApacheAuthentication.conf
</Directory>
WebFrontendApacheAuthentication.conf
===============================
AuthType basic
AuthName "realm"
AuthBasicProvider ldap
AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*)
Require ldap-group cn=WebAccess,dc=realm
===============================
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: [SOLVED] Apache-2.2 with LDAP authentication keeps spinning after
authentication completes
Posted by "J.D." <ra...@gmail.com>.
Tried using (newer) web browsers under Mac OS X and no apparent
Read/Transmitting persistence is noted. So perhaps "the issue" is browser
specific (either OS or version). It would be nice to have a reliable way to
track this down with more specifics. Web browser console/error/debug windows
don't help. Packet capture mechanisms don't help, of course. Application log
files don't show anything, of course.
-------- Original Message --------
Subject: Re: [users@httpd] Apache-2.2 with LDAP authentication keeps spinning
after authentication completes
Date: Tue, 03 May 2016 16:46:30 -0500
From: J.D. <ra...@gmail.com>
To: users@httpd.apache.org
Another interesting observation: web browser (Firefox) continues to show
activity spinner and "read <hostname>" status (with AuthLDAP active at web
application initiation) even after the LDAP authentication is completed, the
OpenLDAP server is stopped, and the LDAP network connection is dropped. I can't
see activity status with the Opera browser, but the LDAP network connection
remains ESTABLISHED after terminating that web browser.
This appears to be an Apache(2.2) issue. Nothing in the Apache (HTTPD) log files.
On 05/03/2016 06:56, Luca Toscano wrote:
>
>
> 2016-05-03 1:22 GMT+02:00 J.D. <randomnoise058@gmail.com
> <ma...@gmail.com>>:
>
> Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips
>
> Using the following sample Directory block, the Apache LDAP authentication works
> just fine, but when the web page is displayed - the activity spinner is spinning
> and the status bar shows "Read <hostname>". Without the Apache LDAP
> authentication, neither of the above symptoms appear/occur. It is almost like
> something doesn't complete/finish, but I cannot determine what causes this.
> There are no messages in the HTTPD error logs relative to this situation.
>
>
> <Directory "/var/www/html/directory/">
> SSLRequireSSL
> AllowOverride None
> Allow from 127.0.0.1
> Allow from localhost
> Allow from 192.168.56.0/24 <http://192.168.56.0/24>
> # uncomment following line to force all frontend access
> # to require userid/password authentication via LDAP
> include conf/WebFrontendApacheAuthentication.conf
> </Directory>
>
>
> WebFrontendApacheAuthentication.conf
> ===============================
> AuthType basic
> AuthName "realm"
> AuthBasicProvider ldap
> AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*)
> Require ldap-group cn=WebAccess,dc=realm
> ===============================
>
>
> Not an expert about LDAP auth with httpd but I would try to increase the
> LogLevel (https://httpd.apache.org/docs/2.2/mod/core.html#loglevel) to get more
> info from the logs about what mod_auth_ldap is doing.
>
> Hope that helps!
>
> Luca
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache-2.2 with LDAP authentication keeps spinning
after authentication completes
Posted by Jim Dutton <ra...@gmail.com>.
Another interesting observation: web browser (Firefox) continues to show
activity spinner and "read <hostname>" status (with AuthLDAP active at web
application initiation) even after the LDAP authentication is completed, the
OpenLDAP server is stopped, and the LDAP network connection is dropped. I can't
see activity status with the Opera browser, but the LDAP network connection
remains ESTABLISHED after terminating that web browser.
This appears to be an Apache(2.2) issue. Nothing in the Apache (HTTPD) log files.
On 05/03/2016 06:56, Luca Toscano wrote:
>
>
> 2016-05-03 1:22 GMT+02:00 J.D. <randomnoise058@gmail.com
> <ma...@gmail.com>>:
>
> Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips
>
> Using the following sample Directory block, the Apache LDAP authentication works
> just fine, but when the web page is displayed - the activity spinner is spinning
> and the status bar shows "Read <hostname>". Without the Apache LDAP
> authentication, neither of the above symptoms appear/occur. It is almost like
> something doesn't complete/finish, but I cannot determine what causes this.
> There are no messages in the HTTPD error logs relative to this situation.
>
>
> <Directory "/var/www/html/directory/">
> SSLRequireSSL
> AllowOverride None
> Allow from 127.0.0.1
> Allow from localhost
> Allow from 192.168.56.0/24 <http://192.168.56.0/24>
> # uncomment following line to force all frontend access
> # to require userid/password authentication via LDAP
> include conf/WebFrontendApacheAuthentication.conf
> </Directory>
>
>
> WebFrontendApacheAuthentication.conf
> ===============================
> AuthType basic
> AuthName "realm"
> AuthBasicProvider ldap
> AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*)
> Require ldap-group cn=WebAccess,dc=realm
> ===============================
>
>
> Not an expert about LDAP auth with httpd but I would try to increase the
> LogLevel (https://httpd.apache.org/docs/2.2/mod/core.html#loglevel) to get more
> info from the logs about what mod_auth_ldap is doing.
>
> Hope that helps!
>
> Luca
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache-2.2 with LDAP authentication keeps spinning
after authentication completes
Posted by Jim Dutton <ra...@gmail.com>.
The persistent LDAP connection between Apache/mod_authnz_ldap and OpenLDAP is
not an LDAP nor OpenLDAP error. Debug logging has confirmed this.
It appears that Apache(v2.2)/mod_authnz_ldap establishes and maintains a
persistent network connection to the designated LDAP server. Documentation for
mod_ldap mentions "connection pooling" and "results caching".
The situation has been verified by the following:
1) start Apache with AuthLDAP directives; start web application;do LDAP
authentication; network connection to LDAP server is established; terminate web
browser; LDAP connection is still ESTABLISHED and appears to "never" timeout or
close; during this time the web browser maintains a "read/transmitting" state
stop Apache (httpd) or the LDAP server and the LDAP connection is dropped
2) start Apache withOUT AuthLDAP; start web application; NO initial LDAP
authentication; no network connection to the LDAP server; perform a function
within the web application that at that point invokes LDAP authentication via
PHP; network connection ESTABLISHED to the LDAP server; LDAP authentication
completes; network connection to the LDAP server is closed; browser status is
"normal".
On 05/03/2016 06:56, Luca Toscano wrote:
>
>
> 2016-05-03 1:22 GMT+02:00 J.D. <randomnoise058@gmail.com
> <ma...@gmail.com>>:
>
> Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips
>
> Using the following sample Directory block, the Apache LDAP authentication works
> just fine, but when the web page is displayed - the activity spinner is spinning
> and the status bar shows "Read <hostname>". Without the Apache LDAP
> authentication, neither of the above symptoms appear/occur. It is almost like
> something doesn't complete/finish, but I cannot determine what causes this.
> There are no messages in the HTTPD error logs relative to this situation.
>
>
> <Directory "/var/www/html/directory/">
> SSLRequireSSL
> AllowOverride None
> Allow from 127.0.0.1
> Allow from localhost
> Allow from 192.168.56.0/24 <http://192.168.56.0/24>
> # uncomment following line to force all frontend access
> # to require userid/password authentication via LDAP
> include conf/WebFrontendApacheAuthentication.conf
> </Directory>
>
>
> WebFrontendApacheAuthentication.conf
> ===============================
> AuthType basic
> AuthName "realm"
> AuthBasicProvider ldap
> AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*)
> Require ldap-group cn=WebAccess,dc=realm
> ===============================
>
>
> Not an expert about LDAP auth with httpd but I would try to increase the
> LogLevel (https://httpd.apache.org/docs/2.2/mod/core.html#loglevel) to get more
> info from the logs about what mod_auth_ldap is doing.
>
> Hope that helps!
>
> Luca
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache-2.2 with LDAP authentication keeps spinning
after authentication completes
Posted by Luca Toscano <to...@gmail.com>.
2016-05-03 1:22 GMT+02:00 J.D. <ra...@gmail.com>:
> Centos-6.6+seLinux, Apache-2.2, OpenLDAP-2.4.40, OpenSSL-1.0.1e-fips
>
> Using the following sample Directory block, the Apache LDAP authentication
> works
> just fine, but when the web page is displayed - the activity spinner is
> spinning
> and the status bar shows "Read <hostname>". Without the Apache LDAP
> authentication, neither of the above symptoms appear/occur. It is almost
> like
> something doesn't complete/finish, but I cannot determine what causes this.
> There are no messages in the HTTPD error logs relative to this situation.
>
>
> <Directory "/var/www/html/directory/">
> SSLRequireSSL
> AllowOverride None
> Allow from 127.0.0.1
> Allow from localhost
> Allow from 192.168.56.0/24
> # uncomment following line to force all frontend access
> # to require userid/password authentication via LDAP
> include conf/WebFrontendApacheAuthentication.conf
> </Directory>
>
>
> WebFrontendApacheAuthentication.conf
> ===============================
> AuthType basic
> AuthName "realm"
> AuthBasicProvider ldap
> AuthLDAPURL ldaps://vbox-realm.vboxnet/dc=realm?uid?sub?(ObjectClass=*)
> Require ldap-group cn=WebAccess,dc=realm
> ===============================
>
>
Not an expert about LDAP auth with httpd but I would try to increase the
LogLevel (https://httpd.apache.org/docs/2.2/mod/core.html#loglevel) to get
more info from the logs about what mod_auth_ldap is doing.
Hope that helps!
Luca