Project

General

Profile

Actions

Bug #294

closed

LDAP authentication fails if LDAP server connection times out

Added by Anonymous about 17 years ago. Updated about 16 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
-
ASK QUESTIONS IN Forums:

Description

Active Directory (in Windows 2003 Server) disconnects LDAP clients after 15 minutes of inactivity. The LDAP authenticator in lighttpd binds when the lighttpd process starts, and if no one accesses the lighttpd server for more than 15 minutes (such as is the case with intranet servers overnight), the LDAP server disconnects and lighttpd denies all subsequent requests. The lighttpd process must be restarted in order to get authentication working again.

Ideally, lighttpd would determine if the LDAP connection was still valid, and re-connect if it wasn't. Another approach might be to have a setting in the lighttpd configuration that would cause lighttpd to disconnect itself from the LDAP server after a certain period of inactivity, and re-connect if it had previously disconnected itself.

-- melfstrand


Files

ldap_reconnect.diff (2.77 KB) ldap_reconnect.diff Automatic reconnect for LDAP -- joerg Anonymous, 2005-10-09 16:21
ldap_timeout.diff (2.34 KB) ldap_timeout.diff allow reconnect to ldap server after timeouts -- joerg Anonymous, 2005-11-06 15:24
Actions #1

Updated by Anonymous almost 17 years ago

I've run into the same problem. Can try the attached patch?

-- joerg

Actions #2

Updated by Anonymous almost 17 years ago

The patch appears to work! I applied it to my copy of the 1.4.4 source. It compiled, installed, and has been running for a couple of hours so far, and I've let it run for over 15 minutes both at startup and between requests, and there has been no problem authenticating. Thank you!

-- melfstrand

Actions #3

Updated by Anonymous almost 17 years ago

I should add that the patch contains another change. It disable the CA file check for starttls, I needed it because the admin of the LDAP server I have to use doesn't want to give it to me, but enforces SSL. It might be good to make it another option.

-- joerg

Actions #4

Updated by Anonymous almost 17 years ago

I'm reattaching the patch without the starttls part (ticket 356).

-- joerg

Actions #5

Updated by jan almost 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

applied in r818, will be part of 1.4.8, thanks for the patch.

Actions

Also available in: Atom