You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ray Van Dolson <ra...@digitalpath.net> on 2004/09/09 19:37:32 UTC
[users@httpd] mod_auth_ldap problems.
Running Red Hat Enterpirse 3.0 and a custom compiled version of Apache 2.0.50.
Here's the configure line I used to build Apache:
CFLAGS="-O3" ./configure \
--prefix=/usr/local/apache2 \
--enable-ssl \
--enable-so \
--enable-rewrite=shared \
--enable-expires \
--enable-info \
--enable-deflate \
--enable-ldap \
--enable-auth-ldap \
--with-ldap \
--with-ssl=/usr
Server works fine, until I try using mod_auth_ldap. I should note that I am
using LDAP authentication (TLS) successfully on the server itself. I'm using
OpenLDAP provided by Red Hat which is 2.0.27 patchlevel 17 (Red Hat's internal
RPM versioning thing). Of course I have the development libraries installed.
I notice the following when I start up Apache:
[Thu Sep 09 10:04:56 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Thu Sep 09 10:04:56 2004] [notice] LDAP: SSL support unavailable
Just wondering if this is normal? I am using TLS with my OpenLDAP
authentication, not SSL, so perhaps this is normal... in any case, I add the
following to my httpd.conf file:
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Directory />
AuthName "User Login"
AuthType Basic
AuthLDAPEnabled on
AuthLDAPURL "ldap://chico-ldap1.digitalpath.net/ou=users?uid?sub?(objectClass=*)"
require valid-user
</Directory>
But when I run apachectl configtest on this, I get the following:
[root@webdev conf]# ../bin/apachectl configtest
../bin/apachectl: line 99: 12363 Segmentation fault $HTTPD -t
If I run httpd -t manually, it says Syntax OK. But apachectl will NOT work. I
can stop the server manually via httpd -k stop and then restart it with httpd -k
start -DSSL (since apachectl just segfaults), but mod_auth_ldap is clearly not
working as I get no login prompt. In any case it doesn't seem that apachectl
should behave in this way.
If I comment out the AuthLDAPURL line above and *only* that line, apachectl
doesn't complain and starts up fine. I am prompted for a username and password,
but of course it doesn't accept my login :-)
I should note that PHP is also compiled into the server as a DSO, *without* LDAP
support.
Anyone have any ideas?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap problems.
Posted by Milan Andric <ma...@eecs.berkeley.edu>.
On Thu, Sep 09, 2004 at 05:05:08PM -0700, Ray Van Dolson wrote:
> Thanks for the reply. I should note that I have tried it without the cache
> entries and it behaves the exact same way. I will try httpd in single process
> mode shortly, however this server is temporarily serving as a "live" server.
> I'll be able to try this out in a few days again.
Not sure if just removing the LDAPCacheEntries directive actually
disables it. I think you have to specify
LDAPCacheEntries 0
LDAPOpCacheEntries 0
HTH,
--
Milan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap problems.
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
This doesn't sound like the same problem I had. If the server is
segfaulting at startup you need to use strace or truss to find clues to
the problem. In my situation the connection was segfaulting.
Are you sure this is a mod_auth_ldap problem, what does the error log say?
Are you loading any non-core modules (PHP, ...)?
On Thu, 9 Sep 2004, Ray Van Dolson wrote:
> Thanks for the reply. I should note that I have tried it without the cache
> entries and it behaves the exact same way. I will try httpd in single process
> mode shortly, however this server is temporarily serving as a "live" server.
> I'll be able to try this out in a few days again.
>
> Seems so odd to me that apachectl configtest results in a segfault, but when I
> run the configuration test via httpd directly it does not. The only thing
> apachectl seems to do that doesn't occur when I run it by hand is some ulimit
> settings.
>
> On other caveat I just thought of that may be being influenced by the apachectl
> script--I have the following in my envvars file to make Oracle work:
>
> export ORACLE_SID=dpndb
> export ORACLE_BASE=/u01/app/oracle
> export ORACLE_HOME=/u01/app/oracle/product/10.1.0/client_1
> export TNS_ADMIN=/u01/app/oracle/product/10.1.0/client_1/network/admin
> export TWO_TASK=/u01/app/oracle/product/10.1.0/client_1/network/admin
> export NLS_LANG="English_America.WE8ISO8859P1"
>
> export LD_LIBRARY_PATH="$ORACLE_HOME:/lib:/usr/local/apache2/lib:$LD_LIBRARY_PATH"
> export LD_PRELOAD=libclntsh.so.10.1
>
> Anyways, thanks again for the reply.
>
> On Thu, Sep 09, 2004 at 04:39:59PM -0700, John P. Dodge wrote:
> > I had a similar problem on Solaris and the problem was the LDAP cache.
> > Disable this and see if aut_ldap works. Then you can focus on why you're
> > segfaulting with LDAP cache.
> >
> > On Solaris this was throwing SIGADRALN which seemd to be attributed to the
> > Posix compliance expected by GCC and the POSIX compliance offered by
> > Solaris. (i.e something returns a long when expecting an int or
> > something).
> >
> > Anyway I'd disable caching to see if the problerm goes away or use single
> > process mode (httpd -X) to tract the segfault.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
----------------------------------------
"Mon aƩroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap problems.
Posted by Ray Van Dolson <ra...@digitalpath.net>.
Thanks for the reply. I should note that I have tried it without the cache
entries and it behaves the exact same way. I will try httpd in single process
mode shortly, however this server is temporarily serving as a "live" server.
I'll be able to try this out in a few days again.
Seems so odd to me that apachectl configtest results in a segfault, but when I
run the configuration test via httpd directly it does not. The only thing
apachectl seems to do that doesn't occur when I run it by hand is some ulimit
settings.
On other caveat I just thought of that may be being influenced by the apachectl
script--I have the following in my envvars file to make Oracle work:
export ORACLE_SID=dpndb
export ORACLE_BASE=/u01/app/oracle
export ORACLE_HOME=/u01/app/oracle/product/10.1.0/client_1
export TNS_ADMIN=/u01/app/oracle/product/10.1.0/client_1/network/admin
export TWO_TASK=/u01/app/oracle/product/10.1.0/client_1/network/admin
export NLS_LANG="English_America.WE8ISO8859P1"
export LD_LIBRARY_PATH="$ORACLE_HOME:/lib:/usr/local/apache2/lib:$LD_LIBRARY_PATH"
export LD_PRELOAD=libclntsh.so.10.1
Anyways, thanks again for the reply.
On Thu, Sep 09, 2004 at 04:39:59PM -0700, John P. Dodge wrote:
> I had a similar problem on Solaris and the problem was the LDAP cache.
> Disable this and see if aut_ldap works. Then you can focus on why you're
> segfaulting with LDAP cache.
>
> On Solaris this was throwing SIGADRALN which seemd to be attributed to the
> Posix compliance expected by GCC and the POSIX compliance offered by
> Solaris. (i.e something returns a long when expecting an int or
> something).
>
> Anyway I'd disable caching to see if the problerm goes away or use single
> process mode (httpd -X) to tract the segfault.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_ldap problems.
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
On Thu, 9 Sep 2004, Ray Van Dolson wrote:
> Running Red Hat Enterpirse 3.0 and a custom compiled version of Apache 2.0.50.
> Here's the configure line I used to build Apache:
>
> CFLAGS="-O3" ./configure \
> --prefix=/usr/local/apache2 \
> --enable-ssl \
> --enable-so \
> --enable-rewrite=shared \
> --enable-expires \
> --enable-info \
> --enable-deflate \
> --enable-ldap \
> --enable-auth-ldap \
> --with-ldap \
> --with-ssl=/usr
>
> Server works fine, until I try using mod_auth_ldap. I should note that I am
> using LDAP authentication (TLS) successfully on the server itself. I'm using
> OpenLDAP provided by Red Hat which is 2.0.27 patchlevel 17 (Red Hat's internal
> RPM versioning thing). Of course I have the development libraries installed.
>
> I notice the following when I start up Apache:
>
> [Thu Sep 09 10:04:56 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK
> [Thu Sep 09 10:04:56 2004] [notice] LDAP: SSL support unavailable
>
> Just wondering if this is normal? I am using TLS with my OpenLDAP
> authentication, not SSL, so perhaps this is normal... in any case, I add the
> following to my httpd.conf file:
>
> LDAPSharedCacheSize 200000
> LDAPCacheEntries 1024
> LDAPCacheTTL 600
> LDAPOpCacheEntries 1024
> LDAPOpCacheTTL 600
>
> <Directory />
> AuthName "User Login"
> AuthType Basic
> AuthLDAPEnabled on
> AuthLDAPURL "ldap://chico-ldap1.digitalpath.net/ou=users?uid?sub?(objectClass=*)"
> require valid-user
> </Directory>
>
> But when I run apachectl configtest on this, I get the following:
>
> [root@webdev conf]# ../bin/apachectl configtest
> ../bin/apachectl: line 99: 12363 Segmentation fault $HTTPD -t
>
> If I run httpd -t manually, it says Syntax OK. But apachectl will NOT work. I
> can stop the server manually via httpd -k stop and then restart it with httpd -k
> start -DSSL (since apachectl just segfaults), but mod_auth_ldap is clearly not
> working as I get no login prompt. In any case it doesn't seem that apachectl
> should behave in this way.
>
> If I comment out the AuthLDAPURL line above and *only* that line, apachectl
> doesn't complain and starts up fine. I am prompted for a username and password,
> but of course it doesn't accept my login :-)
>
> I should note that PHP is also compiled into the server as a DSO, *without* LDAP
> support.
>
> Anyone have any ideas?
>
> Thanks.
>
I had a similar problem on Solaris and the problem was the LDAP cache.
Disable this and see if aut_ldap works. Then you can focus on why you're
segfaulting with LDAP cache.
On Solaris this was throwing SIGADRALN which seemd to be attributed to the
Posix compliance expected by GCC and the POSIX compliance offered by
Solaris. (i.e something returns a long when expecting an int or
something).
Anyway I'd disable caching to see if the problerm goes away or use single
process mode (httpd -X) to tract the segfault.
----------------------------------------
"Mon aƩroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org