search

kvspb / nginx-auth-ldap

LDAP authentication module for nginx
BSD 2-Clause "Simplified" License
731 stars 251 forks source link

nginx process hungs while stopping when the bind account is locked #119

Open canburak opened 8 years ago

canburak commented 8 years ago

The error:

http_auth_ldap: Initial bind failed (49: Invalid credentials [80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 532, v2580])

Stacktrace:

#0  0x00007f9f6f3d4d5c in __lll_lock_wait () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x00007f9f6f3d03a9 in _L_lock_926 () from /lib/x86_64-linux-gnu/libpthread.so.0
#2  0x00007f9f6f3d01cb in pthread_mutex_lock () from /lib/x86_64-linux-gnu/libpthread.so.0
#3  0x00007f9f6ef5c288 in ldap_ld_free () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#4  0x000000000047c62b in ngx_http_auth_ldap_close_connection (c=c@entry=0x2c94540)
    at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:996
#5  0x000000000047cff9 in ngx_http_auth_ldap_sb_close (sbiod=<optimized out>)
    at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:915
#6  0x00007f9f6ed3a622 in ber_int_sb_close () from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
#7  0x00007f9f6ef64f0a in ldap_free_connection () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#8  0x00007f9f6ef5c36f in ldap_ld_free () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#9  0x000000000047c62b in ngx_http_auth_ldap_close_connection (c=c@entry=0x2c94540)
    at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:996
#10 0x000000000047cd40 in ngx_http_auth_ldap_connection_established (c=c@entry=0x2c94540)
    at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:1202
#11 0x000000000047cfab in ngx_http_auth_ldap_connect_handler (wev=<optimized out>)
    at /usr/src/nginx-auth-ldap/ngx_http_auth_ldap_module.c:1287
#12 0x0000000000427227 in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>)
    at src/event/modules/ngx_epoll_module.c:848
#13 0x000000000041f447 in ngx_process_events_and_timers (cycle=cycle@entry=0x23668b0) at src/event/ngx_event.c:248
#14 0x00000000004252d5 in ngx_worker_process_cycle (cycle=cycle@entry=0x23668b0, data=data@entry=0x3)
    at src/os/unix/ngx_process_cycle.c:767
#15 0x0000000000423a9f in ngx_spawn_process (cycle=cycle@entry=0x23668b0, proc=proc@entry=0x425204 <ngx_worker_process_cycle>,
    data=data@entry=0x3, name=name@entry=0x4813a9 "worker process", respawn=respawn@entry=-4) at src/os/unix/ngx_process.c:198
#16 0x000000000042478d in ngx_start_worker_processes (cycle=cycle@entry=0x23668b0, n=4, type=type@entry=-4)
    at src/os/unix/ngx_process_cycle.c:357
#17 0x0000000000426006 in ngx_master_process_cycle (cycle=0x23668b0, cycle@entry=0x185f120) at src/os/unix/ngx_process_cycle.c:242
#18 0x0000000000408a32 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:419
ldap_server x {
  url "ldap://x:389/DC=x?sAMAccountName?sub?(objectClass=person)";
  binddn "x@x";
  binddn_passwd "x";
  group_attribute member;
  group_attribute_is_dn on;
  satisfy any;
  require group "CN=x,DC=x";
  require valid_user;
}

Nginx was able to shutdown properly after unlocking the account:

 # /etc/init.d/nginx start
2016/02/01 08:57:30 [emerg] 21489#0: http_auth_ldap: parse_require in x
2016/02/01 08:57:30 [emerg] 21489#0: http_auth_ldap: Setting group in x
2016/02/01 08:57:30 [emerg] 21489#0: http_auth_ldap: parse_require in x

# /etc/init.d/nginx stop
2016/02/01 08:57:35 [alert] 21491#0: *1 open socket #17 left in connection 2
2016/02/01 08:57:35 [alert] 21492#0: *2 open socket #19 left in connection 2
2016/02/01 08:57:35 [alert] 21492#0: aborting
2016/02/01 08:57:35 [alert] 21491#0: aborting
2016/02/01 08:57:35 [alert] 21495#0: *4 open socket #23 left in connection 2
2016/02/01 08:57:35 [alert] 21495#0: aborting
2016/02/01 08:57:36 [alert] 21493#0: *3 open socket #21 left in connection 2
2016/02/01 08:57:36 [alert] 21493#0: aborting
Frodox commented 4 years ago

+1