http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server)

[churchmf]

Hello,

I'm running nginx as a media server with ldap restricting access. Here's my nginx configuration (anonymized):

" ... auth_ldap_cache_enabled on; auth_ldap_cache_expiration_time 28800000; auth_ldap_cache_size 10000; ... ldap_server my_ldap { url ldap://ldapserver.com:3268/?sAMAccountName?sub?(|(memberof:1.2.840.113556.1.4.1941:=CN=Mailing%20List,DC=com)(memberof=CN=Another%20Mailing%20List,DC=com)); binddn "myusername"; binddn_passwd "mypassword"; require valid_user; } ... location ~ /project/.+.(mp4|flv)$ { auth_ldap "Restricted To Project. Please login with your network credentials"; auth_ldap_servers my_ldap; proxy_pass http://_common; } "

Periodically, my users are denied access (502) when trying to view a video. Checking the log reveals this error message occurring often:

" 2016/05/25 10:15:35 [error] 1558#0: recv() failed (104: Connection reset by peer) 2016/05/25 10:15:35 [error] 1558#0: http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server) "

It appears that nginx occasionally fails to connect with the LDAP server, causing authentication to fail and causing video to not be served up.

Assuming that the LDAP server does not have any issues that would cause connectivity problems, what might cause an occasional or periodic failure to connect with the server, resulting in access being denied?

Thank you, -Matt

nginx version: nginx/1.7.9 built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) TLS SNI support enabled configure arguments: --user=nginx --group=nginx --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-pah=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_mp4_module --with-http_flv_module --add-module=/home/derp/nginx-rtmp-module/ --add-module=/home/derp/ngx_devel_kit-0.2.19 --add-module=/home/derp/lua-nginx-module-0.9.13 --add-module=/home/derp/ngin-auth-ldap/ --with-debug --with-ipv6 --with-http_ssl_module

[mecorusfc]

I get this "can't contact LDAP server" message quite a bit. This is in an environment with other non-NGINX apps being able to access LDAP for authorization with no problems at all with many more users and many more servers. In some cases, if a single user is hitting the site protected by the ldap module, I get three or four of these failures to connect. Unfortunately, the error message is of no help. Is there a way to get more out of the error message? I've tried debug and that just adds a lot more noise around the error but nothing else about the actual error.

[churchmf]

@mecorusfc I'm in the same boat. I still receive this error periodically with no idea as to what triggers it. A slight work around I've been using that has yielded marginal results is to reload the nginx configuration every so often.

[churchmf]

I still experience the problem after updating nginx.

nginx version: nginx/1.11.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --user=nginx --group=nginx --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_mp4_module --with-http_flv_module --add-module=/home/derp/nginx-rtmp-module-1.1.9 --add-module=/home/derp/ngx_devel_kit-0.3.0 --add-module=/home/derp/lua-nginx-module-0.10.6 --add-module=/home/derp/nginx-auth-ldap/ --with-http_ssl_module --with-pcre --with-http_realip_module --with-ipv6 --with-debug

[schittli]

We use nginx/1.11.2, too and we also have really many error logs: [error] 5906#0: recv() failed (104: Connection reset by peer) [error] 5906#0: http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server)

Isn't there any way to enable verbose logging if this error happens?

Kind regards, Tom

[cloudsurf-digital]

Same here!

[csghuser]

Getting this as well. It seems to work ok for a while and then you start to see loads of these errors constantly ( 3 or 4 a minute).

[dkiser]

Any updates on this one?

[mecorusfc]

My system is working by going to the global catalog port. However, it appears that there isn’t much in the way of retry logic in nginx-auth-ldap so you need AD to be very perfect in its responses.

Michael Corum VP, Technical Architecture Solutions

RGA Reinsurance Company 16600 Swingley Ridge Road Chesterfield, Missouri 6301701706 T 636.736.7066 www.rgare.com

From: Domingo Kiser notifications@github.com<mailto:notifications@github.com> Reply-To: kvspb/nginx-auth-ldap reply@reply.github.com<mailto:reply@reply.github.com> Date: Monday, March 13, 2017 at 5:06 PM To: kvspb/nginx-auth-ldap nginx-auth-ldap@noreply.github.com<mailto:nginx-auth-ldap@noreply.github.com> Cc: Corum Michael mcorum@rgare.com<mailto:mcorum@rgare.com>, Mention mention@noreply.github.com<mailto:mention@noreply.github.com> Subject: Re: [kvspb/nginx-auth-ldap] http_auth_ldap: ldap_result() failed (-1: Can't contact LDAP server) (#136)

Any updates on this one?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/kvspb/nginx-auth-ldap/issues/136#issuecomment-286258745, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFo5lUiZteNq4GqtaVkuEhRbMRbxyQdEks5rlb3pgaJpZM4ImvXN.

[dkiser]

I took a stab at fixing this in https://github.com/kvspb/nginx-auth-ldap/pull/169. It seems to be working for my test cases when setting the new option to a value greater than zero.

Maybe some of you guys can build/test with this?