Hi,
we had a strange problem today - our users authenticate with their AD
accounts. There are two LDAP servers configured. One of the servers was
offline for a time and users could not login at that time, although most
of the users are from the AD that did work. The logs clearly stated that
the user had successfully authenticated against the first LDAP server,
but tried the other anyway. So the whole process died with timeout.
Here are some specifics from the apache error log:
[1192] [Wed Apr 6 11:53:17 2016] [info]:
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( LDAP ):
username (/opt/rt4/sbin/…/lib/RT/Authen/ExternalAuth/LDAP.pm:348)
[Wed Apr 06 14:53:52.654654 2016] [fcgid:warn] [pid 934:tid
140136953538304] [client 192.168.1.150:36148] mod_fcgid: read data
timeout in 40 seconds, referer: https://
[Wed Apr 06 14:53:52.654835 2016] [core:error] [pid 934:tid
140136953538304] [client 192.168.1.150:36148] End of script output
before headers: rt-server.fcgi, referer: https://
(the difference in time is because rt logs in UTC, not local time zone -
I have not yet tried to figure out why)
There is alot of data in rt.log because I enabled debug, but it
basically says that there was a successful login in the first LDAP and
the tries to bind to the second.
So the questions are:
- Is there an option to enable timeout for LDAP logins?
- Why does RT even try to login to the second LDAP, if the first
succeeds? Why couldn’t I login with root?