You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tessio Fechine <oi...@gmail.com> on 2011/12/10 13:19:46 UTC

[users@httpd] ldap authentication taking far too long

Hello,
I configured apache2.2 to provide ldap authentication with Active Directory.

--=--
<Directory "/var/www/html">

        AuthType Basic
        AuthName "Authenticate with domain account."
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPBindDN cn=Administrator,cn=users,dc=example,dc=com
        AuthLDAPBindPassword secret
        AuthLDAPURL ldap://
192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)
        Require valid-user
        ...
</Directory>
--=--

It works, but it takes far too long.
I analyzed the traffic with tcpdump.. the timestamps show exactly four
minutes between the initial bindRequest to bind with "AuthLDAPBindDN" and
the final bindResponse (success) for the user provided account credentials.

Here is the error_log output for this.

--=--
[Sat Dec 10 07:06:37 2011] [debug] mod_authnz_ldap.c(390): [client
192.168.56.1] [2488] auth_ldap authenticate: using URL ldap://
192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client
192.168.56.1] [2488] auth_ldap authenticate: accepting peter
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client
192.168.56.1] [2488] auth_ldap authorise: declining to authorise
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client
192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://
192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*),
referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client
192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer:
http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client
192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer:
http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [error] [client 192.168.56.1] File does not
exist: /var/www/html/projeto/style.css, referer:
http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client
192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://
192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*),
referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client
192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer:
http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client
192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer:
http://192.168.56.200/projeto/
--=--

As you can see, it takes four minutes between the first and the second line.

Any clue?