We have Apache hosting a subversion server, and we’d like to use the Okta LDAP interface to authenticate our employees. However, with the server configured in this way we find operations on this repo will intermittently fail with a 500 error in the browser, or (when using the svn command line client) “svn: E175002: Unexpected server error 500 ‘Internal Server Error’ on ‘/path/to/file’”.
[edit] The 500 errors are caused by intermittent LDAP “server down” result codes from the Okta LDAP Interface, which doesn’t seem right (shouldn’t really be down?). Details follow.
We’re using mod_authnz_ldap. One of our subversion repos named “/foo” is configured like this:
<Location /foo>
DAV svn
AuthType Basic
AuthBasicProvider ldap
AuthName foo_repo
AuthLDAPBindDN "${BindDN}"
AuthLDAPBindPassword "${BindPassword}"
SVNPath /repo/svn/foo
AuthLDAPURL "ldaps://mycompany.ldap.okta.com:636/ou=users,dc=mycompany,dc=okta,dc=com?shortName?one?(objectClass=inetOrgPerson)"
# Ideally we require by ldap-group, but that leads to another issue we'll mention separately
Require valid-user
</Location>
The effect here should be that any user who authenticates with their Okta credentials is authorized to access this repo. The 500 errors I mentioned earlier seem to correspond to these errors in the Apache logs:
[Wed Jan 06 05:52:33.518169 2021] [authnz_ldap:info] [pid 18813:tid 139913282397952] [client ###.###.###.###:#####] AH01695: auth_ldap authenticate: user neilo authentication failed; URI /path/to/file [LDAP: ldap_simple_bind() failed][Unknown error]
and with more verbose logging enabled in Apache we see this:
res_errno: 81, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_err2string
[Wed Jan 06 20:13:20.298287 2021] [authnz_ldap:info] [pid 6082:tid 140716382566144] [client ###.###.###.###:#####] AH01695: auth_ldap authenticate: user neilo authentication failed; URI /path/to/file [LDAP: ldap_simple_bind() failed][Unknown error]
I believe that “res_errno: 81” is the LDAP response code LDAP_SERVER_DOWN. . Repeating the same operation (e.g. reload the page in the browser) often succeeds.
So the problem we have is that these errors cause the svn client to abort, but we can’t see a reason for them. This seems like a simple use case, any suggestions how to debug further and resolve?