search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

ldap_search_ext timeout and then fail #107

Open sunshineo opened 8 years ago

sunshineo commented 8 years ago

Here is my configuration:

ldap_server ldapserver {
        url ldap://ldap:3268/DC=zulily,DC=corp,DC=com?sAMAccountName?sub?(objectClass=person);
        binddn "CN=ldapeng,CN=Users,DC=corp,DC=zulily,DC=com";
        binddn_passwd password;
        ##group_attribute member;
        ##group_attribute_is_dn on;
        ##require group 'CN=Zulily_IT,OU=Departments,DC=corp,DC=zulily,DC=com';
        require valid_user;
        satisfy all;
    }

Here is the NGINX debug log:

2015/11/21 09:30:25 [debug] 7#0: *3 http keepalive handler
2015/11/21 09:30:25 [debug] 7#0: *3 malloc: 0000000002206F00:1024
2015/11/21 09:30:25 [debug] 7#0: *3 SSL_read: 491
2015/11/21 09:30:25 [debug] 7#0: *3 SSL_read: -1
2015/11/21 09:30:25 [debug] 7#0: *3 SSL_get_error: 2
2015/11/21 09:30:25 [debug] 7#0: *3 reusable connection: 0
2015/11/21 09:30:25 [debug] 7#0: *3 posix_memalign: 00000000021FBFC0:4096 @16
2015/11/21 09:30:25 [debug] 7#0: *3 event timer del: 3: 1448098280275
2015/11/21 09:30:25 [debug] 7#0: *3 http process request line
2015/11/21 09:30:25 [debug] 7#0: *3 http request line: "GET /v2/_catalog HTTP/1.1"
2015/11/21 09:30:25 [debug] 7#0: *3 http uri: "/v2/_catalog"
2015/11/21 09:30:25 [debug] 7#0: *3 http args: ""
2015/11/21 09:30:25 [debug] 7#0: *3 http exten: ""
2015/11/21 09:30:25 [debug] 7#0: *3 http process request header line
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Host: 192.168.99.100"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Connection: keep-alive"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Cache-Control: max-age=0"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Authorization: Basic c3N1bjptYWtlLT5jaDBpY2U="
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Upgrade-Insecure-Requests: 1"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Accept-Encoding: gzip, deflate, sdch"
2015/11/21 09:30:25 [debug] 7#0: *3 http header: "Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh-TW;q=0.4"
2015/11/21 09:30:25 [debug] 7#0: *3 http header done
2015/11/21 09:30:25 [debug] 7#0: *3 rewrite phase: 0
2015/11/21 09:30:25 [debug] 7#0: *3 test location: "/v2/"
2015/11/21 09:30:25 [debug] 7#0: *3 test location: "_catalog"
2015/11/21 09:30:25 [debug] 7#0: *3 test location: ~ "/v2/(?<namespace>([^/]*))/"
2015/11/21 09:30:25 [debug] 7#0: *3 using configuration "/v2/_catalog"
2015/11/21 09:30:25 [debug] 7#0: *3 http cl:-1 max:0
2015/11/21 09:30:25 [debug] 7#0: *3 rewrite phase: 2
2015/11/21 09:30:25 [debug] 7#0: *3 post rewrite phase: 3
2015/11/21 09:30:25 [debug] 7#0: *3 generic phase: 4
2015/11/21 09:30:25 [debug] 7#0: *3 generic phase: 5
2015/11/21 09:30:25 [debug] 7#0: *3 access phase: 6
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Username is "ssun"
2015/11/21 09:30:25 [debug] 7#0: *3 posix_memalign: 00000000022B20F0:4096 @16
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Authentication loop (phase=0, iteration=0)
2015/11/21 09:30:25 [debug] 7#0: *3 event timer add: 3: 10000:1448098235010
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: request_timeout=10000
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Authentication loop (phase=1, iteration=0)
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Wants a free connection to "ldapserver"
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Search filter is "(&(objectClass=person)(sAMAccountName=ssun))"
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: ldap_search_ext() -> msgid=2

// Stuck here for a long time actually

2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Waking authentication request "GET /v2/_catalog HTTP/1.1"
2015/11/21 09:30:25 [debug] 7#0: *3 access phase: 6
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Authentication loop (phase=1, iteration=1)
2015/11/21 09:30:25 [error] 7#0: *3 http_auth_ldap: ldap_search_ext() request failed (10: Referral), client: 192.168.99.1, server: localhost, request: "GET /v2/_catalog HTTP/1.1", host: "192.168.99.100"
2015/11/21 09:30:25 [debug] 7#0: *3 http_auth_ldap: Authentication loop (phase=6, iteration=1)
2015/11/21 09:30:25 [debug] 7#0: *3 event timer del: 3: 1448098235010
2015/11/21 09:30:25 [debug] 7#0: *3 http finalize request: 401, "/v2/_catalog?" a:1, c:1
2015/11/21 09:30:25 [debug] 7#0: *3 http special response: 401, "/v2/_catalog?"
2015/11/21 09:30:25 [debug] 7#0: *3 http set discard body
2015/11/21 09:30:25 [debug] 7#0: *3 http map started
2015/11/21 09:30:25 [debug] 7#0: *3 http map: "" "registry/2.0"
2015/11/21 09:30:25 [debug] 7#0: *3 http script var: "registry/2.0"
2015/11/21 09:30:25 [debug] 7#0: *3 HTTP/1.1 401 Unauthorized

The LDAP search works fine. I spent 10+ hours and still have no clue. Please help!

sunshineo commented 8 years ago

I got the url wrong!

url ldap://ldap:3268/DC=zulily,DC=corp,DC=com?sAMAccountName?sub?(objectClass=person);

should be

url ldap://ldap:3268/DC=corp,DC=zulily,DC=com?sAMAccountName?sub?(objectClass=person);

I am guessing that the url path after the server port is supposed to be the "baseDN". I hope someone mention this in the documentation.