0

We're getting intermittent errors of this nature:

[Mon Mar 20 08:38:37 2017] [info] [client client_ip_here] [27056] auth_ldap authenticate: user first.last@server.com authentication failed; URI /path/to/project/trunk [LDAP: ldap_start_tls_s() failed][Connect error]

In the Apache logs:

197896-[Mon Mar 20 08:38:37 2017] [info] Initial (No.1) HTTPS request received for child 3 (server svn.server.com:443)
197897-[Mon Mar 20 08:38:37 2017] [debug] mod_authnz_ldap.c(432): [client client_ip_here] [27056] auth_ldap authenticate: using URL ldap://ldap.server.com/OU=Accounts,DC=AAA,DC=BBB,DC=CCC?mail
197901:[Mon Mar 20 08:38:37 2017] [info] [client client_ip_here] [27056] auth_ldap authenticate: user first.last@server.com authentication failed; URI /path/to/project/trunk [LDAP: ldap_start_tls_s() failed][Connect error]

Apache configuration:

<Location /svn/>
    DAV svn

    SVNListParentPath on
    SVNParentPath /path/to/repositories
    SVNIndexXSLT "/svnindex.xsl"

    # SetEnv SVN_LOCALE_CHARSET "en_US.UTF-8"
    SetEnv SVN_LOCALE_CHARSET "UTF-8"

    AuthBasicProvider ldap file
    AuthUserFile /path/to/svnfile.acl
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName "Login with full email (lowercase) and password / Utiliser votre courriel (minuscules) et mot de passe pour vous authentifier"
    AuthLDAPBindDN "bind_dn_here"
    AuthLDAPBindPassword "password_here"
    AuthLDAPURL "ldap://ldap.server.com/OU=Accounts,DC=AAA,DC=BBB,DC=CCC?mail" TLS
    AuthzSVNAccessFile /path/to/svnrepos.acl

    require valid-user
</Location>

LDAP configuration file:

RERERRALS off
TLS_CACERTDIR   /etc/openldap/certs
TLS_REQCERT never

This used to be rock solid until last week, where we had to change DC. The solution until a solution is found, is to restart Apache every half hour (or when the authentication starts to fail)

Apparently, the new DC is configured the same way as the other one. Unsure how to troubleshoot this. I don't manage all the parts in this equation.

TechFanDan
  • 297
  • 1
  • 6
  • 20

1 Answers1

0

You could try running an ldapsearch that mimics what Apache is doing when you notice the problem. If your​ issue shuts out all users it shouldn't matter which you bind as. You would also want the verbose switch to see if you get a any clues to why starttls is failing.

Another tool you could try is "openssl s_client", that might give you more info on the starttls conversation, and help you narrow the cause down.

Has looked into the logs on your new DC?

Tony.P
  • 26
  • 1
  • Someone did look in the logs on my behalf, apparently, didn't find too much from my boxes. However, I think I found the cause. I had absolutely no caching in place in my configs. I copied the base config found on Apache's site and since then, it seems to be pretty stable. My gut tells me, that we were hammering it someway, and only a restart of Apache solved it (too much memory, server stopped connections?). I'll try to paste my final config ASAP. – TechFanDan Mar 27 '17 at 00:14