0

I configured apache2.2 (CentOS 5.6) to provide ldap authentication with Active Directory.

<Directory "/var/www/html">

        AuthType Basic
        AuthName "Authenticate with domain account."
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPBindDN cn=Administrator,cn=users,dc=example,dc=com
        AuthLDAPBindPassword secret
        AuthLDAPURL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)
        Require valid-user
        ...
</Directory>

It works, but it takes far too long. I analyzed the traffic with tcpdump.. the timestamps show exactly four minutes between the searchResEntry (when Active Directory respond with the DN of the user account I'm trying to log in) and the bindRequest (when apache try to bind as the requested user).

Here is the error_log output for this:

[Sat Dec 10 07:06:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2488] auth_ldap authenticate: using URL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2488] auth_ldap authenticate: accepting peter

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2488] auth_ldap authorise: declining to authorise

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://192.168.56.110:389 dc=example,dc=com?sAMAccountName?sub?(objectClass=*), referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [error] [client 192.168.56.1] File does not exist: /var/www/html/projeto/style.css, referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*), referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer: http://192.168.56.200/projeto/

[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer: http://192.168.56.200/projeto/

As you can see, it takes four minutes between the first and the second line.

Any clue?

Ps. Here is a link to the tcpdump capture displayed with wireshark. As you can see, Active Directory responds instantaneously. What takes too long is the bindRequest from apache (highlighted in the image).

Improve this question
3
  • Can you check how much time is spent in responding to the ldap query itself, try from ldap commandline tools and find the elapsed time for the query. is SamAccountName an attribute that is indexed in ldapdb? Commented Jan 18, 2012 at 5:32
  • BTW, since you have mentioned to use ActiveDirectory as your directory store, which has Kerberos integrated, I would suggest you look at integrated AD & Unix kerberized authentications solution than LDAP bind itself. Commented Jan 18, 2012 at 5:34
  • Read about performance impact in authzldap.othello.ch/configuration.html Commented Sep 22, 2013 at 9:51

1 Answer 1

Reset to default
2

Your ldap query is too much "generic". What about if you restrict the Object Class before make a query, to avoid bringing to much information?

ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=user)

And making the query "by hand" with ldapsearch, you have the same performance issue? ex:

ldapsearch -x -W -D "cn=Administrator,dc=example,dc=com" -h 192.168.56.110 -b "dc=example,dc=com" -LLL "(SAMAccountName=peter)" 
Enter LDAP Password:
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.