From 20f279f0f950a13d5d7f3abfdf042b37ef47e87b Mon Sep 17 00:00:00 2001 From: Patrik Weiskircher Date: Mon, 22 Dec 2014 12:52:28 -0500 Subject: [PATCH 1/3] Fix requests that were waiting on a LDAP connection getting lost and timing out after 10 seconds. --- ngx_http_auth_ldap_module.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c index 40cca18..0dceb1e 100644 --- a/ngx_http_auth_ldap_module.c +++ b/ngx_http_auth_ldap_module.c @@ -1591,7 +1591,15 @@ ngx_http_auth_ldap_authenticate(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t return NGX_ERROR; } - if (!ctx->replied && ctx->phase != PHASE_START) { + /* + * If we are not starting up a request (ctx->phase != PHASE_START) and we actually already + * sent a request (ctx->iteration > 0) and didn't receive a reply yet (!ctx->replied) we + * ask to be called again at a later time when we hopefully have received a reply. + * + * It is quite possible that we reach this if while not having sent a request yet (ctx->iteration == 0) - + * this happens when we are trying to get an LDAP connection but all of them are busy right now. + */ + if (ctx->iteration > 0 && !ctx->replied && ctx->phase != PHASE_START) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_auth_ldap: The LDAP operation did not finish yet"); return NGX_AGAIN; } From a47106290371d7ec43e368ce6bf0bbe60cfcd0d2 Mon Sep 17 00:00:00 2001 From: Patrik Weiskircher Date: Tue, 23 Dec 2014 10:45:04 -0500 Subject: [PATCH 2/3] remove quick and dirty hack to rebind to the search user. it has been implemented correctly already. --- ngx_http_auth_ldap_module.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c index 0dceb1e..244e9d5 100644 --- a/ngx_http_auth_ldap_module.c +++ b/ngx_http_auth_ldap_module.c @@ -1967,16 +1967,6 @@ ngx_http_auth_ldap_check_bind(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *c ctx->c->state = STATE_BINDING; ctx->iteration++; - // added by prune - 20140227 - // we have to rebind THIS SAME connection as admin user or the next search could be - // made as non privileged user - // see https://github.com/kvspb/nginx-auth-ldap/issues/36 - // this is quick and dirty patch - int rebind_msgid; - cred.bv_val = (char *) ctx->server->bind_dn_passwd.data; - cred.bv_len = ctx->server->bind_dn_passwd.len; - rc = ldap_sasl_bind(ctx->c->ld,(const char *) ctx->server->bind_dn.data, LDAP_SASL_SIMPLE, &cred, NULL, NULL, &rebind_msgid); - return NGX_AGAIN; } From 95d64f0797dc5fddf7488c8d9c8eaff4319ee90b Mon Sep 17 00:00:00 2001 From: Patrik Weiskircher Date: Tue, 23 Dec 2014 10:46:20 -0500 Subject: [PATCH 3/3] don't return the connection after every LDAP reply. This makes the connection more sticky to one request and prevents auth timeouts and lost requests. --- ngx_http_auth_ldap_module.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c index 244e9d5..32a4fb3 100644 --- a/ngx_http_auth_ldap_module.c +++ b/ngx_http_auth_ldap_module.c @@ -1014,6 +1014,12 @@ ngx_http_auth_ldap_get_connection(ngx_http_auth_ldap_ctx_t *ctx) ngx_queue_t *q; ngx_http_auth_ldap_connection_t *c; + /* + * If we already have a connection, just say we got them one. + */ + if (ctx->c != NULL) + return 1; + server = ctx->server; ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "http_auth_ldap: Wants a free connection to \"%V\"", @@ -1076,8 +1082,6 @@ ngx_http_auth_ldap_reply_connection(ngx_http_auth_ldap_connection_t *c, int erro ctx->error_msg.data = NULL; } - ngx_http_auth_ldap_return_connection(c); - ngx_http_auth_ldap_wake_request(ctx->r); }