Ldap – Subversion: Apache mod_ldap – 30 seconds for first authentication

I have a problem regarding my Subversion server installation with Apache (mod_ldap and mod_authnz_ldap) and my LDAP connection to a Microsoft Active Directory
I am using a CentOS5 64Bit system with Collabnet Subversion EDGE.

The problem is the connection to my LDAP, because it needs for the first authentication exactly 30 seconds.

Here are the log file snippets.

First authentication with a myLdapUser:

==> /opt/csvn/data/logs/error_2012_04_24.log <==
[Tue Apr 24 10:42:00 2012] [debug] mod_authnz_ldap.c(403): [client xx.xx.xx.xx] [3122] auth_ldap authenticate: using URL ldap://10.10.10.11/DC=mycompany,DC=com?sAMAccountName?sub

==> /opt/csvn/data/logs/access_2012_04_24.log <==
xx.xx.xx.xx - myLdapUser [24/Apr/2012:10:42:00 +0200] "GET /svn/ HTTP/1.1" 200 132

==> /opt/csvn/data/logs/error_2012_04_24.log <==
[Tue Apr 24 10:42:30 2012] [debug] mod_authnz_ldap.c(518): [client xx.xx.xx.xx] [3122] auth_ldap authenticate: accepting myLdapUser
[Tue Apr 24 10:42:30 2012] [info] [client xx.xx.xx.xx] Access granted: 'myLdapUser' GET (null)

As you can see there is a timegap of 30 seconds using the ldap URL and the accepted authentication.
Do I reload the page after the first slow but successful authentication, everything is done in one second, see this log file snippet:

==> /opt/csvn/data/logs/access_2012_04_24.log <==
xx.xx.xx.xx - myLdapUser [24/Apr/2012:10:42:51 +0200] "GET /svn/ HTTP/1.1" 200 132

==> /opt/csvn/data/logs/error_2012_04_24.log <==
[Tue Apr 24 10:42:51 2012] [debug] mod_authnz_ldap.c(403): [client xx.xx.xx.xx] [3123] auth_ldap authenticate: using URL ldap://10.10.10.11/DC=mycompany,DC=com?sAMAccountName?sub
[Tue Apr 24 10:42:51 2012] [debug] mod_authnz_ldap.c(518): [client xx.xx.xx.xx] [3123] auth_ldap authenticate: accepting myLdapUser
[Tue Apr 24 10:42:51 2012] [info] [client xx.xx.xx.xx] Access granted: 'myLdapUser' GET (null)

A look at the LDAP server: First it binds successfully, then it does very fast a search request and gets a search request entry with the full values of the user ´myLdapUser´, then, the user is not authenticated yet and after 30 seconds, it calls again the Active Directory with the user information of the search request entry and after that, the user is accepted.

Anyone an idea what's going wong?

I also post this question here, but it is not a subversion problem, it is related to Apache and mod_ldap, so I think I won't get help there: http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=417998

Best Answer

For the sake of completeness you should post your actual mod_authz_ldap configuration directives, not just the log snippets. For me this sounds like a DNS problem somewhere between Apache and AD, but without more info I can't be sure.

You should try to do the authentication manually using, for example, ldapsearch on the CentOS machine and see if you can reproduce the problem there. Something like:

ldapsearch -xLLLZ -D sAMAccountName=myLdapUSer,dc=mycompany,dc=com -W \
 -b dc=mycompany,dc=com -H ldap://10.10.10.11

Best Answer

Related Solutions

Linux – Subversion without Apache

Ldap – Use Apache authentication + authorization to control access to Subversion subdirectories

Related Topic