Home / server / Questions / 637876
In Process
dirtside
Asked: 2014-10-18 10:44:35 +0800 CST

Apache resetting LDAP requests and hanging

  • 772

I've got Apache 2.2.15 running under CentOS 6.5. The module mod_authnz_ldap is being used to authenticate against a Microsoft AD server. Here's the LDAP config in Apache:

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://[ad server ip address]/[basedn]?mail
AuthLDAPBindDN [binddn]
AuthLDAPBindPassword [bindpass]
AuthName "LDAP: myhost.example.com"
Require ldap-group cn=[foo],ou=Permissions,ou=Groups,ou=[bar],dc=[baz],dc=com

Most of the time, browser requests to this Apache host work just fine; it authenticates correctly against the AD server and the page loads normally.

Once every few minutes on average, however, the request will appear to hang from the browser side. tcpdump reveals that Apache is sending a TCP RST packet, apparently in response to a PSH ACK packet from the AD host. The exchange looks like this:

53  600.408744  Apache  AD  TCP  74  42804 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2665219285 TSecr=0 WS=128
55  600.469478  AD  Apache  TCP  66  ldap > 42804 [PSH, ACK] Seq=1 Ack=3457841362 Win=65093 Len=0 TSval=4832637 TSecr=2664621718
56  600.469524  Apache  AD  TCP  54  42804 > ldap [RST] Seq=3457841362 Win=0 Len=0
65  601.409434  Apache  AD  TCP  74  [TCP Retransmission] 42804 > ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2665220285 TSecr=0 WS=128
67  601.470951  AD  Apache  TCP  78  [TCP Previous segment not captured] ldap > 42804 [SYN, ACK] Seq=252322338 Ack=1 Win=16384 Len=0 MSS=1380 WS=1 TSval=0 TSecr=0 SACK_PERM=1

No other packets are sent after this point, on this connection, and so the thread appears to be hanging. strace provides no illumination, it just shows a write() call being made with the LDAP bind request.

I also had a longer-running tcpdump session catch one of the Apache processes trying to send an LDAP request from a TCP port that was not part of any open connection. It looked like it was from an earlier connection (similar to the kind shown in the dump above), and somehow the Apache process thought that that connection was still open.

I thought maybe one of the LDAP caches was being problematic, so I disabled them as follows:

LDAPSharedCacheSize 0
LDAPCacheEntries 0
LDAPOpCacheEntries 0

but this made no difference; the problem still occurs.

The only way to fix it currently is to restart Apache every few minutes. With the load the server receives, the problem starts occurring within a couple of minutes of restart.

apache-2.2

0 Answers