Opened 7 years ago

Closed 6 years ago

#13095 closed defect (fixed)

DirectoryAuth - broken ldap connections

Reported by: Martin Kofahl Owned by: bebbo
Priority: normal Component: DirectoryAuthPlugin
Severity: major Keywords: patch
Cc: Alexey Trac Release: 1.0


In particular cases (currently unknown -- firewall setup, broken server software, maybe even libldap), an existing ldap connection resp. the connection object gets invalid.

After successful authentication, permissions are revoked after some time (depending on cache_timeout):

Dispatching <RequestWithSession "GET '/admin'">
Retrieving session for ID u'username'
Checking permission called with: action(TRAC_ADMIN),                    username(username), resource(<Resource u'admin:general/basics'>), perm(<trac.perm.PermissionCache object at 0x7fbaf32e4a50>)
_dir_search: searching ou=users,dc=example,dc=com for (&(uid=username)(objectClass=person))(6e115com0601a78ac47ca2600bf695142)
_bind_dir: attempting general bind to ldaps:// as cn=Trac Authentication,cn=Technical DNs,cn=config
_bind_dir: Bound to ldaps:// correctly.
_dir_search: starting LDAP search of ldaps:// ou=users,dc=example,dc=com using (&(uid=username)(objectClass=person)) for ['uid']
_ldap_search: ldap query with page size 1000
_ldap_search: serverControls: []
_ldap_search: result = []
_dir_search: dir miss.

Adding a trace_file in, libldap only reports SERVER_DOWN.

Although the DirectoryAuthPlugin makes use of the ReconnectLDAPObject, bind_s is the only call benefit from it. All other methods are call asynchronous, not handling SERVER_DOWN exceptions.

Attachments (1)

directoryauthplugin_reconnect.patch (1.0 KB) - added by Martin Kofahl 7 years ago.
configuration dir_reconnect = False|True

Download all attachments as: .zip

Change History (6)

Changed 7 years ago by Martin Kofahl

configuration dir_reconnect = False|True

comment:1 Changed 7 years ago by Martin Kofahl

As a workaround, the new setting dir_reconnect can be set to True making Trac to always reconnect the ldap server.

comment:2 Changed 7 years ago by Alexey

Cc: Alexey added

comment:3 Changed 7 years ago by figaro

Keywords: patch added

comment:4 Changed 6 years ago by bebbo

In 17284:

refs #13095: added an additional connect attempt in case the connection is broken.

ReconnectLDAPObject seems not to hold what I expect.

Now if search _ldap_search throws an exception _bind_dir is used to obtain a new connection and the _ldap_search is tried again.

comment:5 Changed 6 years ago by bebbo

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain bebbo.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.