Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-29536

CAS / LDAP server unavailable caused large timeouts

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Pre-requisites:

      You need to have at least one LDAP and one CAS server available. You need to have at least a valid user account (enabled, with a known password, etc.) in the LDAP directory, and the CAS server configured to use that LDAP directory to validate CAS users.

      You also need to identify an IP address that doesn't respond to LDAP traffic from your Moodle server. E.g., that IP should be unreachable and don't return any kind of connection reset packets (otherwise the LDAP library code will timeout the connection as soon as we get the connection reset packets, which will distort some of the tests). I will call this address the "Unreachable IP Address" in the testing instructions.

      LDAP authentication

      1. Log in with an admin account (make sure that admin account doesn't use LDAP auth!!!)
      2. Make sure you have the LDAP authentication plugin enabled.
      3. Configure the LDAP authentication settings suitable for the valid LDAP server. Save the changes.
      4. Log out and try to login with the LDAP user account.
      5. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, LDAP server load, etc.).
      6. Log out.
      7. Execute the LDAP authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many users you are syncing).
      8. Log in with the previous admin account.
      9. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes.
      10. Log out and try to login with the LDAP user account.
      11. Login should fail with a connection error message after a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes).
      12. Execute the LDAP authentication user sync task. It should fail with a connection error message after a rather long time.
      13. Log in with the previous admin account.
      14. Go to the LDAP settings configuration page. It should take around 25 seconds to appear.
      15. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes.
      16. Log out and try to login with the LDAP user account.
      17. Login should fail with a connection error message after ~10 seconds.
      18. Execute the LDAP authentication user sync task. It should fail with a connection error message after ~10 seconds.
      19. Log in with the previous admin account.
      20. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time.
      21. Configure the LDAP settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes.
      22. Log out and try to login with the LDAP user account.
      23. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, LDAP server load, etc.).
      24. Log out.
      25. Execute the LDAP authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing).
      26. Log in with the previous admin account.
      27. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time.

      LDAP enrolment

      For this test we assume that the LDAP authentication plugin is enabled and configured with a valid, reachable, operating LDAP server, with suitable settings configured correctly.

      1. Log in with an admin account.
      2. Make sure you have the LDAP enrolment plugin enabled.
      3. Configure the LDAP enrolment settings suitable for the valid LDAP server. Save the changes.
      4. Log out and try to login with the LDAP user account.
      5. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, LDAP server load, number of courses to enrol the user into, etc.).
      6. Log out.
      7. Execute the LDAP enrolment sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many courses and enrolments you are syncing).
      8. Log in with the previous admin account.
      9. Configure the LDAP enrolment settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes.
      10. Log out and try to login with the LDAP user account.
      11. Login should proceed ok, but it will take a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes).
      12. Log out.
      13. Execute the LDAP enrolmente sync task. It should fail with a connection error message after a rather long time.
      14. Log in with the previous admin account.
      15. Go to the LDAP settings configuration page. It should take around 25 seconds to appear.
      16. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes.
      17. Log out and try to login with the LDAP user account.
      18. Login should proceed ok, but it will take ~1-3 + 10 seconds.
      19. Log out.
      20. Execute the LDAP enrolment sync task. It should fail with a connection error message after ~10 seconds.
      21. Log in with the previous admin account.
      22. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time.
      23. Configure the LDAP settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes.
      24. Log out and try to login with the LDAP user account.
      25. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, LDAP server load, etc.).
      26. Log out.
      27. Execute the LDAP enrolment sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing).
      28. Log in with the previous admin account.
      29. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time.

      CAS auth

      1. Make sure the CAS server is already setup and running.
      2. Enable the CAS authentication plugin.
      3. Go to CAS settings, and configure CAS settings and LDAP server settings with values for the suitable LDAP server.
      4. Log out and try to login with the CAS user account.
      5. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, CAS and LDAP server load, etc.).
      6. Log out.
      7. Execute the CAS authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many users you are syncing).
      8. Log in with the previous admin account.
      9. Configure the CAS settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes.
      10. Log out and try to login with the CAS user account.
      11. Login should fail with a connection error message after a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes).
      12. Execute the CAS authentication user sync task. It should fail with a connection error message after a rather long time.
      13. Log in with the previous admin account.
      14. Go to the LDAP settings configuration page. It should take around 25 seconds to appear.
      15. Configure the CAS settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes.
      16. Log out and try to login with the CAS user account.
      17. Login should fail with a connection error message after ~10 seconds.
      18. Execute the CAS authentication user sync task. It should fail with a connection error message after ~10 seconds.
      19. Log in with the previous admin account.
      20. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time.
      21. Configure the CAS settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes.
      22. Log out and try to login with the CAS user account.
      23. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, CAS and LDAP server load, etc.).
      24. Log out.
      25. Execute the CAS authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing).
      26. Log in with the previous admin account.
      27. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time.
      Show
      Pre-requisites: You need to have at least one LDAP and one CAS server available. You need to have at least a valid user account (enabled, with a known password, etc.) in the LDAP directory, and the CAS server configured to use that LDAP directory to validate CAS users. You also need to identify an IP address that doesn't respond to LDAP traffic from your Moodle server. E.g., that IP should be unreachable and don't return any kind of connection reset packets (otherwise the LDAP library code will timeout the connection as soon as we get the connection reset packets, which will distort some of the tests). I will call this address the "Unreachable IP Address" in the testing instructions. LDAP authentication Log in with an admin account (make sure that admin account doesn't use LDAP auth!!!) Make sure you have the LDAP authentication plugin enabled. Configure the LDAP authentication settings suitable for the valid LDAP server. Save the changes. Log out and try to login with the LDAP user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, LDAP server load, etc.). Log out. Execute the LDAP authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many users you are syncing). Log in with the previous admin account. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes. Log out and try to login with the LDAP user account. Login should fail with a connection error message after a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes). Execute the LDAP authentication user sync task. It should fail with a connection error message after a rather long time. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 25 seconds to appear. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the LDAP user account. Login should fail with a connection error message after ~10 seconds. Execute the LDAP authentication user sync task. It should fail with a connection error message after ~10 seconds. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time. Configure the LDAP settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the LDAP user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, LDAP server load, etc.). Log out. Execute the LDAP authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing). Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time. LDAP enrolment For this test we assume that the LDAP authentication plugin is enabled and configured with a valid, reachable, operating LDAP server, with suitable settings configured correctly. Log in with an admin account. Make sure you have the LDAP enrolment plugin enabled. Configure the LDAP enrolment settings suitable for the valid LDAP server. Save the changes. Log out and try to login with the LDAP user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, LDAP server load, number of courses to enrol the user into, etc.). Log out. Execute the LDAP enrolment sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many courses and enrolments you are syncing). Log in with the previous admin account. Configure the LDAP enrolment settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes. Log out and try to login with the LDAP user account. Login should proceed ok, but it will take a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes). Log out. Execute the LDAP enrolmente sync task. It should fail with a connection error message after a rather long time. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 25 seconds to appear. Configure the LDAP settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the LDAP user account. Login should proceed ok, but it will take ~1-3 + 10 seconds. Log out. Execute the LDAP enrolment sync task. It should fail with a connection error message after ~10 seconds. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time. Configure the LDAP settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the LDAP user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, LDAP server load, etc.). Log out. Execute the LDAP enrolment sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing). Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time. CAS auth Make sure the CAS server is already setup and running. Enable the CAS authentication plugin. Go to CAS settings, and configure CAS settings and LDAP server settings with values for the suitable LDAP server. Log out and try to login with the CAS user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, depending on network latency, CAS and LDAP server load, etc.). Log out. Execute the CAS authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (depending on how many users you are syncing). Log in with the previous admin account. Configure the CAS settings with the "Unreachable IP address" for the LDAP host. Set the connection timeout setting to zero (the default value). Save the changes. Log out and try to login with the CAS user account. Login should fail with a connection error message after a rather long time (depending in the LDAP library your version of PHP uses and the operating system of your Moodle server, it can take up to 3-4 minutes). Execute the CAS authentication user sync task. It should fail with a connection error message after a rather long time. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 25 seconds to appear. Configure the CAS settings with the "Unreachable IP address" for the LDAP host, but set the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the CAS user account. Login should fail with a connection error message after ~10 seconds. Execute the CAS authentication user sync task. It should fail with a connection error message after ~10 seconds. Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 10 seconds to appear this time. Configure the CAS settings with the valid LDAP server IP address for the LDAP host. Keep the connection timeout setting to 10 seconds. Save the changes. Log out and try to login with the CAS user account. Login should proceed successfully in a reasonable amount of time (~1-3 seconds, again depending on network latency, CAS and LDAP server load, etc.). Log out. Execute the CAS authentication user sync task. There shouldn't be any errors and the sync should proceed in a reasonable amount of time (again depending on how many users you are syncing). Log in with the previous admin account. Go to the LDAP settings configuration page. It should take around 1-3 seconds to appear this time.
    • Workaround:
      Hide

      Path is against v1.9.13 :

      #diff -c auth/cas/auth.php.original auth/cas/auth.php

          • auth.php.original 2011-09-26 14:16:28.000000000 -0700
          • auth.php 2011-09-26 15:47:54.000000000 -0700
            ***************
          • 514,519 ****
          • 514,524 ----
            if ($this->config->user_type == 'ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); }

            + //set server timeout if PHP version allows it
            + //if (version_compare(PHP_VERSION,'5.3.0') >= 0) {
            + if (defined('LDAP_OPT_NETWORK_TIMEOUT'))

            { + ldap_set_option($connresult, LDAP_OPT_NETWORK_TIMEOUT, 2); + }

            if (!empty($binddn)) {
            //bind with search-user
            //$debuginfo .= 'Using bind user'.$binddn.'and password:'.$bindpwd;

      Show
      Path is against v1.9.13 : #diff -c auth/cas/auth.php.original auth/cas/auth.php auth.php.original 2011-09-26 14:16:28.000000000 -0700 auth.php 2011-09-26 15:47:54.000000000 -0700 *************** 514,519 **** 514,524 ---- if ($this->config->user_type == 'ad') { ldap_set_option($connresult, LDAP_OPT_REFERRALS, 0); } + //set server timeout if PHP version allows it + //if (version_compare(PHP_VERSION,'5.3.0') >= 0) { + if (defined('LDAP_OPT_NETWORK_TIMEOUT')) { + ldap_set_option($connresult, LDAP_OPT_NETWORK_TIMEOUT, 2); + } if (!empty($binddn)) { //bind with search-user //$debuginfo .= 'Using bind user'.$binddn.'and password:'.$bindpwd;
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-29536-master

      Description

      If an LDAP/CAS server is unavailable it can cause the user to have to wait for a very long timeout. We should configure this in moodle.

      Related bug: MDL-58193 users can sometimes lose access to their configuration page, if their server timeout is shorter than their LDAP timeout. Because the server will end the connection before the LDAP has deemed the server inaccessible. Then there is no way to change the server in the configuration to a new one that works, and the page will be broken until the server configuration is changed in moodle's db or a server is put up on the exact IP.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              iarenaza Iñaki Arenaza
              Reporter:
              johanr Johan Reinalda
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: