[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problems using AuthLDAP and ActiveDirectory

From: Paul Ossenbruggen <paul.ossenbruggen_at_convoii.net>
Date: 2004-07-22 02:57:57 CEST

This is a followup so others don't experience the trouble I did. The
problem is a bug in the Apache LDAP module. It is fairly simple to
reproduce. Start a web browser to get a clean session, access an ldap
protected directory using the the intentionally wrong password and
correct username. Then immediately type the correct password and
correct user id. Refresh multiple times usually about 5 times will do
it, it asks for your password again, enter correct password again
refresh a few more times it asks again. The problem goes away in about
5 minutes probably corresponds to the LDAP cache settings.

I found several bugs in the Apache Bugzilla, that were very similar to
this one. This bug is fixed in Apache 2.0.50.

Below is a complete view of the log file when the problem occurs.

Start browser enter correct password and user name.

[Tue Jul 20 15:57:42 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(343): [client 10.10.100.136] [25331] auth_ldap
authenticate: using URL ldap://company.net:389/cn=
Users,dc=company,dc=net?sAMAccountName?sub
[Tue Jul 20 15:57:42 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(418): [client 10.10.100.136] [25331] auth_ldap
authenticate: accepting paul.ossenbruggen
[Tue Jul 20 15:57:42 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(638): [client 10.10.100.136] [25331] auth_ldap
authorise: require group: testing for group member
ship in `cn=Core,cn=Users,dc=company,dc=net'
[Tue Jul 20 15:57:42 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(643): [client 10.10.100.136] [25331] auth_ldap
authorise: require group: testing for member: CN=P
aul Ossenbruggen,CN=Users,DC=company,DC=net
(cn=Core,cn=Users,dc=company,dc=net)
[Tue Jul 20 15:57:42 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(651): [client 10.10.100.136] [25331] auth_ldap
authorise: require group: authorisation successful (attribute member)
[Comparison true (cached)][Compare true]

Type wrong password intentionally.

[Tue Jul 20 16:09:34 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(343): [client 10.10.100.136] [25334] auth_ldap
authenticate: using URL
ldap://company.net:389/cn=Users,dc=company,dc=net?sAMAccountName?sub
[Tue Jul 20 16:09:34 2004] [warn] [client 10.10.100.136] [25334]
auth_ldap authenticate: user paul.ossenbruggen authentication failed;
URI /ldap-status [ldap_simple_bind_s() to check user credentials
failed][Invalid credentials]

Enter correct password and then refresh page multiple times until this
error occurs. Occurs once in about 5 refreshes. Problem goes away after
5 minutes. Seems some one is caching the bad login.

[Tue Jul 20 16:10:19 2004] [debug]
/home/david/rpms/build/httpd-2.0.48/modules/experimental/
mod_auth_ldap.c(343): [client 10.10.100.136] [25332] auth_ldap
authenticate: using URL ldap://company.net:389/cn=
Users,dc=company,dc=net?sAMAccountName?sub
[Tue Jul 20 16:10:19 2004] [warn] [client 10.10.100.136] [25332]
auth_ldap authenticate: user paul.ossenbruggen authentication failed;
URI /ldap-status [ldap_search_ext_s() for user failed][Operations
error]

- Paul

On Jul 19, 2004, at 1:57 PM, Paul Ossenbruggen wrote:

> We were having problems browsing around the repository with the web
> browser too, similar to the command line, it keeps asking to
> re-authenticate. So that points at some sort of caching happening in
> mod_ldap or active directory rather than the .subversion files. It
> seems it is AD that is returning the error which Mod_ldap turns into
> an "operations error". It seems like it does not bind properly a lot
> of the time.
>
>
> - Paul
>
>
> On Jul 19, 2004, at 12:18 PM, Campbell, Matthew A wrote:
>
>
> Just my $0.02...
>
>
> Could your users have authentication tokens cached in their respective
> ~/.subversion/ directories?  That would probably wreak havoc and
> cause added
> chaos.
>
>
> > -----Original Message-----
> > From: Paul Ossenbruggen [mailto:paul.ossenbruggen@convoii.net]
> > Sent: Monday, July 19, 2004 2:13 PM
> > To: users@subversion.tigris.org
> > Subject: Problems using AuthLDAP and ActiveDirectory
> >
> >
> > Our company has been using AuthLDAP against an ActiveDirectory
> server
> > with Subversion for a little less than 90 days, I know this because,
> > that is about how long it takes before we are required to change our
> > passwords in the Active Directory domain. During that time we
> > had some
> > minor problems where, it would not authenticate properly sometimes.
> > Navigating around the the repository would periodically cause you to
> > have to retype your password but for the most part, it seemed
> > to work.
> > Once I had to restart the apache server to get it working again.
> >
> > Then the 90 day password change happened and all hell broke
> > loose after
> > the users changed their passwords. Now it intermittently but
> > much more
> > frequently does not authenticate. It fails almost 50% of each LDAP
> > query. We tried various things like changing the
> > LDAPCacheEntries size
> > to 0. This seemed to make things worse which makes sense
> > because it was
> > checking with the server more frequently. We tried restarting the
> > Active Directory server and the Apache server but it still is
> flaky..
> > Anyway, we are now back to a password file because it has become so
> > unreliable, has anyone else had similar problems?  I know that
> > Subversion is not really involved at this level, it has more
> > to do with
> > MOD_LDAP, Active Directory and Apache but it does exercise this
> > functionality pretty heavily.
> >
> > - Paul
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
Received on Thu Jul 22 03:00:15 2004

This is an archived mail posted to the Subversion Users mailing list.