Monday, March 17 2008, 03:10
Apache, mod_authnz_ldap and the timeouts
By fake - Permalink
auth_ldap authenticate: user foo authentication failed; URI /bar [ldap_search_ext_s() for user failed][Can't contact LDAP server]this happens after the server is up for a few hours, and would go away for a few times again eventually (when you hit another preforked apache worker, or spawn a new one). i googled, and found a conversation between Knorrie and Covener in #apache on freenode dating about a month back. I was unable to find the conclusion they came to, though, so i tried to contact them - both were very helpful. Knorrie and I had the problem, so we tested various scenarios. Then, after about a day, the reason for the mishaps became obvious... the LDAP_SERVER_DOWN define changed from version 2.1 (0x51 = 81) to 2.2 (-1) of the library, in the main header ldap.h, which makes the connection failure handling of apache bail out, if compiled with a 2.1 ldap.h and run on a 2.2 or later libldap. there is no build log of the current apache-2.2.8-1 debian package for x86, but the one for amd64 shows this is exactly what happened. i recompiled the debian source package with no change to the source, just the correct headers in place for libldap-2.4, and it runs smoothly now. this problem should be nullified in 6 days when apache2-2.2.8_3 enters debian testing.