"http_auth_ldap: Authentication timed out"

[jay7x]

Hello!

It looks like nginx_auth_ldap module sometimes fails to detect LDAP server connection failure.

nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --add-module=nginx-auth-ldap-be8ff8eecb2578304d72e1f4947466ac9ba50295 --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_geoip_module --with-http_sub_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E

Module configuration:

  ldap_server ldap01 {
    url ldaps://ldap01.example.com/ou=user,dc=example,dc=com?uid?sub?(objectClass=posixAccount);
    binddn "cn=nginx,ou=system,dc=example,dc=com";
    binddn_passwd "secret";
    #group_attribute gidNumber;
    #group_attribute_is_dn on;
    require valid_user;
  }

  auth_ldap_cache_enabled on;
  auth_ldap_cache_expiration_time 10000;
  auth_ldap_cache_size 1000;

Access configuration:

location /secured {
    auth_ldap "Forbidden";
    auth_ldap_servers ldap01;
    return 204;

    location /secured/_.gif {
            empty_gif;
    }
}

How it looks from client side:

$ curl -vvv http://test.98:IyRO8Vwmjm9mBkx@10.176.3.81/secured/_.gif
* Hostname was NOT found in DNS cache
*   Trying 10.176.3.81...
* Connected to 10.176.3.81 (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'test.98'
> GET /secured/_.gif HTTP/1.1
> Authorization: Basic dGVzdC45ODpJeVJPOFZ3bWptOW1Ca3g=
> User-Agent: curl/7.37.1
> Host: 10.176.3.81
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 10.176.3.81 left intact
curl: (52) Empty reply from server

How it looks in debug log: log_err.txt

How it looks after nginx restart: log_ok.txt

[mkmoisen]

I'm having the same timout issue. Did you find a solution?

[jay7x]

Actually not :(

[mkmoisen]

I somehow fixed it and got it working, after undergoing rigorous trial and error. Of course, by the time it started working, I did not remember my original configuration.

Have you tried using non-ssl?

[friparia]

i met this problem too...

[bibby]

My setup works correctly on first start up, but if I come back an hour later, nginx is completely hung up.

[ordinarygulp]

For me, I had to change things around a bit:

• URL should only contain dc info. IE: ldaps://ipa.example.nl/dc=example,dc=nl?uid?sub?(objectClass=person)

• give binddn a user id: binddn "uid=admin,cn=users,cn=accounts,dc=example,dc=nl";

I run FreeIPA, and the key to finding this info for me, was running ldapsearch -x uid=admin on the FreeIPA/LDAP server.

[mingting]

Hello I meet same issue with nginx 1.13.6. http_auth_ldap: Authentication timed out

the 1st time after setup, nginx and ldap works well. but after several hours, error log show ldap error.

the browser can pop up the login window, but not content show in browser.

anyone has a solution?

Thanks.

[dolgovas]

I have same trouble with timeout. After start, nginx and ldap works well, but some times later error log show ldap error.

[yeangigi]

@wu-chapb says that you may change the port from 389 to 3268 in issues/113. I cant workaround with that cause my LDAP server is not AD.