logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4: LDAP authentication very slow
Author
mahohmei



Joined: 03 Feb 2020
Posts: 1
Location: USA, Tallahassee, FL

PostPosted: Mon 03 Feb '20 15:13    Post subject: Apache 2.4: LDAP authentication very slow Reply with quote

Apache 2.4.6
RHEL 7.7

This is a pretty new (about a week old) problem. My department Intranet uses authentication against the university's Active Directory environment, and authentication for end-users takes over 30 seconds. Subsequent page loads are nearly-instant, and after 15-30 minutes, the problem is back.

Code:
<Directory /var/www/html/intranet>
  AuthType Basic
  AuthName "Restricted files"
  AuthBasicProvider ldap
  AuthLDAPBindDN CN=dept-binder,OU=Generic-Logon,OU=Generic,DC=example,DC=edu
  AuthLDAPBindPassword lamepassword
  AuthLDAPURL ldaps://ldap-ad.example.edu:636/dc=example,dc=edu?sAMAccountName?sub

  <RequireAny>
    require ldap-group CN=ug-dept-intranet,OU=Deoartment,OU=Dept-Groups,DC=example,DC=edu
  </RequireAny>
</Directory>


Here are some relevant lines from error_log, showing an authentication take 37 seconds:

Code:
AH02034: Initial (No.1) HTTPS request received for child 36 (server dept.example.edu:443)
AH01626: authorization result of Require ldap-group CN=ug-psy-employees,OU=Dynamic,OU=Psychology,OU=FSU-Dept-Groups,DC=fsu,DC=edu: denied (no authenticated user yet)
AH01626: authorization result of Require ldap-group CN=ug-dept-intranet,OU=Dept,OU=Dept-Groups,DC=example,DC=edu: denied (no authenticated user yet)
AH01691: auth_ldap authenticate: using URL ldaps://ldap-ad.example.edu:636/dc=example,dc=edu?sAMAccountName?sub
AH02001: Connection closed to child 11 with standard shutdown (server dept.example.edu:443)

# 37 seconds pass

AH01697: auth_ldap authenticate: accepting jsmith
AH01713: auth_ldap authorize: require group: testing for group membership in "CN=ug-dept-intranet,OU=Department,OU=Dept-Groups,DC=example,DC=edu"
AH01714: auth_ldap authorize: require group: testing for member: CN=jsmith,OU=PEOPLE,DC=example,DC=edu (CN=ug-dept-intranet,OU=Department,OU=Dept-Groups,DC=example,DC=edu)
AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (adding to cache)][6 - Compare True]
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 08 Feb '20 8:00    Post subject: Reply with quote

Hello,
sound like a timeout of ~30 seconds which is cached for 15-30 minutes. Would be interesting what is going on on the wire within these 30 seconds (tcpdump/Wireshark).

Within my text-LDAP-config I have additional three lines where the last one was commented as "to be used with apache2.4", but I can't remember why I have added this comment:
Code:
AuthLDAPRemoteUserIsDN On
AuthLDAPBindAuthoritative On
LDAPReferrals Off

Maybe you can check if these config-lines help or what happens between your webserver and the LDAP-server (looks like an Windows-AD-server)?

Best regards
Matthias
Back to top
marek_g



Joined: 07 Mar 2021
Posts: 1
Location: Warsaw, Poland

PostPosted: Sun 07 Mar '21 23:27    Post subject: Reply with quote

I've had exactly the same problem on Fedora 33 with Apache 2.4 and I've solved it by adding

Code:
LDAPConnectionTimeout 1


to the Apache global configuration:
https://httpd.apache.org/docs/2.4/mod/mod_ldap.html

I'm using LDAP with TLS and I suspect that delay was caused by Apache trying to verify Active Directory/DC certificate.
Back to top


Reply to topic   Topic: Apache 2.4: LDAP authentication very slow View previous topic :: View next topic
Post new topic   Forum Index -> Apache