我配置了 apache2.2 (CentOS 5.6) 以提供 Active Directory 的 ldap 身份验证。
<Directory "/var/www/html">
AuthType Basic
AuthName "Authenticate with domain account."
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=Administrator,cn=users,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)
Require valid-user
...
</Directory>
它有效,但需要太长时间。我使用 tcpdump 分析了流量。时间戳显示 searchResEntry(当 Active Directory 使用我尝试登录的用户帐户的 DN 进行响应时)和 bindRequest(当 apache 尝试绑定为请求的用户时)之间正好四分钟)。
这是 error_log 输出:
[Sat Dec 10 07:06:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2488] auth_ldap authenticate: using URL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2488] auth_ldap authenticate: accepting peter
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2488] auth_ldap authorise: declining to authorise
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://192.168.56.110:389 dc=example,dc=com?sAMAccountName?sub?(objectClass=*), referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [error] [client 192.168.56.1] File does not exist: /var/www/html/projeto/style.css, referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(390): [client 192.168.56.1] [2475] auth_ldap authenticate: using URL ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=*), referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(489): [client 192.168.56.1] [2475] auth_ldap authenticate: accepting peter, referer: http://192.168.56.200/projeto/
[Sat Dec 10 07:10:37 2011] [debug] mod_authnz_ldap.c(971): [client 192.168.56.1] [2475] auth_ldap authorise: declining to authorise, referer: http://192.168.56.200/projeto/
正如您所看到的,第一条线和第二条线之间需要四分钟。
有什么线索吗?
诗。这里有一个关联到使用wireshark显示的tcpdump捕获。正如您所看到的,Active Directory 会立即响应。花费太长时间的是来自apache的bindRequest(在图像中突出显示)。
答案1
您的 ldap 查询过于“通用”。如果您在进行查询之前限制对象类以避免带来太多信息,该怎么办?
ldap://192.168.56.110:389/dc=example,dc=com?sAMAccountName?sub?(objectClass=user)
并使用 ldapsearch“手动”进行查询,您是否有相同的性能问题?前任:
ldapsearch -x -W -D "cn=Administrator,dc=example,dc=com" -h 192.168.56.110 -b "dc=example,dc=com" -LLL "(SAMAccountName=peter)"
Enter LDAP Password: