LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Conrad Allen -
Number of replies: 21

We are testing an upgraded version of Moodle from 1.9.10 to 2.0.2 on a test server and have preserved the same LDAP settings across the upgrade process. We have an OpenLDAP server which handles authentication for the entire school district and is distributed over several servers.

LDAP authentication works, but there is a substantial (over 60 seconds!) delay for the 2.0.2 install to authenticate.  The delay for our production server running Moodle 1.9.10 is never more than 3-4 seconds and since they are using the exact same credentials, I can't see where the problem might lie.

Is anyone else experiencing this type of delay?  Any ideas on what could be the issue?

Average of ratings: -
In reply to Conrad Allen

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Brent Lee -
Dear Conrad, We had a similar issue. Switched to LDAPS, and changed order of our authentications. We had to disable IMAP, which drastically helped. --Brent
Average of ratings: -
In reply to Conrad Allen

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

I did not upgrade our 1.9 production server (14'000 users, 4'100 courses) because I want to test the 2.03 server for some months before switching. But I can not find any auth plugins except eMail-self-registration and manual. Where have all the other auth modules gone?? I need at least LDAP and Shibboleth as on my production server. Without that I can not switch to 2.x

Rosario

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Monica Bokos -
Hi, You can find it in the site administration block >Plugins>Authentication. Is this what you are looking for?
Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
As Monica says, they are definitely there (in all my production and test installs).

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Thanks to both. That's exactly where I looked for them and did only find the two menioned above. I will have a look into the module/plugin directory to verify whether the code is present there and report back.

Rosario

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Really very strange. The /auth directory looks correct as in 1.9.x:

 # ls -lt
total 72
drwxrwsr-x 6 root root 4096 Jun 28 12:49 cas
drwxrwsr-x 5 root root 4096 Jun 28 12:49 db
drwxrwsr-x 3 root root 4096 Jun 28 12:49 email
drwxrwsr-x 4 root root 4096 Jun 28 12:49 shibboleth
drwxrwsr-x 4 root root 4096 Jun 28 12:49 imap
drwxrwsr-x 4 root root 4096 Jun 28 12:49 nntp
drwxrwsr-x 3 root root 4096 Jun 28 12:49 nologin
drwxrwsr-x 4 root root 4096 Jun 28 12:49 pam
drwxrwsr-x 4 root root 4096 Jun 28 12:49 pop3
drwxrwsr-x 4 root root 4096 Jun 28 12:49 radius
drwxrwsr-x 4 root root 4096 Jun 28 12:49 fc
drwxrwsr-x 4 root root 4096 Jun 28 12:49 mnet
drwxrwsr-x 5 root root 4096 Jun 28 12:49 ldap
drwxrwsr-x 4 root root 4096 Jun 28 12:49 manual
drwxrwsr-x 3 root root 4096 Jun 28 12:49 none
drwxrwsr-x 3 root root 4096 Jun 28 12:49 webservice
-rwxrwxr-x 1 root root 5583 Nov  2  2009 README.txt
-rwxrwxr-x 1 root root    0 Jan 23  2005 index.html

So maybe my FireFox AND Internet-Explorer are playing me a nasty trick, so that I can not see them, to activate nor to configrue. I have a very bad web-behaviour anyway in 2.03: when I save a configuration I am not correctly redirected to the page that says "your settings have been saved" and if I navigate back to home, ie. the front-page, I get no page at all. Most of the time I have to restart both my browsers and login again as admin.

I'm using FF 5.0 and Internet Explorer 9.0.8112.16421, but I have really no problems to administer my production server 1.9.12+ with them.

Any Ideas? Rosario

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Iñaki, I think this is getting a case for you: look what I receive on my frontpage from time to time, besides that it seems rather slow to render. Everything runs on the same fast server, where I have my production server 1.9.12+ running fast and smoth since years:

production server: https://moodle.fhnw.ch

2.03 test server: https://moodle.fhnw.ch/moodleTest2/

FireBug gives me:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" dir="ltr">
<head>
<title>FHNW Moodle 2.x Test-Server</title>
<link href="https://moodle.fhnw.ch/moodleTest2/theme/image.php?theme=standard&image=favicon&rev=163&component=theme" rel="shortcut icon">
</head>
<body></body>
</html>

Is there any server-side caching making troubles??

Rosario
Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

And this is how it looks like in IE:

Moodle 2.03 auth plugins missing

 

And this is what FireBug gets when I access https://moodle.fhnw.ch/moodleTest2/admin/settings.php?section=manageauths:

<!-- END OF HEADER -->
<div id="page-content">
<div id="region-main-box">
<div id="region-post-box">
<div id="region-main-wrap">
<div id="region-main">
<div class="region-content">
<span id="maincontent"></span>
<form id="adminsettings" method="post" action="settings.php">
<div class="settingsform clearfix">
<input type="hidden" value="manageauths" name="section">
<input type="hidden" value="Vm6AzwQnNd" name="sesskey">
<input type="hidden" value="" name="return">
<h2 class="main">Manage authentication</h2>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

 

Let me know, if you need more debug informations. Debug is enabled to max. output, but I do not receive anything.

Rosario

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Same thing in FireFox 3.6.3:

auth plugins in FireFox 3.6.3

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hi Rosario,

without having access to the system and the logs it's a bit difficult to know what's going on. I'd suspect strange permissions somewhere in the auth subdirectories, but this is just a wild guess.

Can you try creating a new php file (let's call it availableauths.php), putting it in the moodle root directoy, with the following lines in it:

<?php

require(dirname(__FILE__).'/config.php');

$auths = get_plugin_list('auth');
echo "<p>List of available auths:</p><p>";
foreach ($auths as $auth) {
echo "$auth<br/>";
}
echo "<p>";

echo "<p>List of {$CFG->dirroot}/auth/ subdirectories:</p><p>";
$auth_plug_dir = $CFG->dirroot.'/auth/';
if ($dh = opendir($auth_plug_dir)) {
    while (($file = readdir($dh)) !== false) {
        if (($file == '.cvs') || ($file == '.') || ($file == '..') || !is_dir($auth_plug_dir.$file)) {
            continue;
        }
        echo $auth_plug_dir.$file.' (';
        if (is_readable($auth_plug_dir.$file.'/auth.php')) {
            echo "auth.php is readable";
        } else {
            echo "auth.php is not readable";
        }
        echo ")<br/>\n";
    }
    closedir($dh);
    echo "<p>";
} else {
    echo "<p>Can't open directory {$auth_plug_dir}</p>";
}
   
and see what you get when you run it from the browser? That should give us a clue.

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Here is the output with moodleRoot instead of plain directory paths:

List of available auths:

moodleRoot/htdocs/auth/cas
moodleRoot/htdocs/auth/db
moodleRoot/htdocs/auth/email
moodleRoot/htdocs/auth/fc
moodleRoot/htdocs/auth/imap
moodleRoot/htdocs/auth/ldap
moodleRoot/htdocs/auth/manual
moodleRoot/htdocs/auth/mnet
moodleRoot/htdocs/auth/nntp
moodleRoot/htdocs/auth/nologin
moodleRoot/htdocs/auth/none
moodleRoot/htdocs/auth/pam
moodleRoot/htdocs/auth/pop3
moodleRoot/htdocs/auth/radius
moodleRoot/htdocs/auth/shibboleth
moodleRoot/htdocs/auth/webservice

List of moodleRoot/htdocs/auth/ subdirectories:

moodleRoot/htdocs/auth/nologin (auth.php is readable)
moodleRoot/htdocs/auth/none (auth.php is readable)
moodleRoot/htdocs/auth/pam (auth.php is readable)
moodleRoot/htdocs/auth/pop3 (auth.php is readable)
moodleRoot/htdocs/auth/db (auth.php is readable)
moodleRoot/htdocs/auth/fc (auth.php is readable)
moodleRoot/htdocs/auth/ldap (auth.php is readable)
moodleRoot/htdocs/auth/webservice (auth.php is readable)
moodleRoot/htdocs/auth/email (auth.php is readable)
moodleRoot/htdocs/auth/imap (auth.php is readable)
moodleRoot/htdocs/auth/shibboleth (auth.php is readable)
moodleRoot/htdocs/auth/manual (auth.php is readable)
moodleRoot/htdocs/auth/cas (auth.php is readable)
moodleRoot/htdocs/auth/mnet (auth.php is readable)
moodleRoot/htdocs/auth/radius (auth.php is readable)
moodleRoot/htdocs/auth/nntp (auth.php is readable)

Seems all ok, Rosario

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hi Rosario,

while there is server-side caching (and you can clear any server side caches with Site Administration >> Development >> Purge all caches) it may also be bad interaction with any PHP accelerator you might be using. If you do, can you try disabling it and see if it makes a difference (just a wild guess to, but it's the only thing that comes to mind right now).

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

I use no accelerators, and I set the access permissions recursively the same as in my production instance:

-rwxrwxr-x 1 root root 5583 Nov  2  2009 README.txt
drwxrwsr-x 6 root root 4096 Jun 28 12:49 cas
drwxrwsr-x 5 root root 4096 Jun 28 12:49 db
drwxrwsr-x 3 root root 4096 Jun 28 12:49 email
drwxrwsr-x 4 root root 4096 Jun 28 12:49 fc
drwxrwsr-x 4 root root 4096 Jun 28 12:49 imap
-rwxrwxr-x 1 root root    0 Jan 23  2005 index.html
drwxrwsr-x 5 root root 4096 Jun 28 12:49 ldap
drwxrwsr-x 4 root root 4096 Jun 28 12:49 manual
drwxrwsr-x 4 root root 4096 Jun 28 12:49 mnet
drwxrwsr-x 4 root root 4096 Jun 28 12:49 nntp
drwxrwsr-x 3 root root 4096 Jun 28 12:49 nologin
drwxrwsr-x 3 root root 4096 Jun 28 12:49 none
drwxrwsr-x 4 root root 4096 Jun 28 12:49 pam
drwxrwsr-x 4 root root 4096 Jun 28 12:49 pop3
drwxrwsr-x 4 root root 4096 Jun 28 12:49 radius
drwxrwsr-x 4 root root 4096 Jun 28 12:49 shibboleth
drwxrwsr-x 3 root root 4096 Jun 28 12:49 webservice

Rosario

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

The only error I can find in my apache log at the moment is this one, which occurs also for the production server .19.12+

[Wed Jul 06 13:08:00 2011] [error] [client 10.234.2.121] ALERT - script tried to increase memory_limit to 100663296 bytes which is above the allowed value (attacker '10.234.2.121', file '/moodleRoot/htdocs/lib/setuplib.php', line 905)

Is it possible that using YUI-libraries to dynamically load what you expand in the administration-block, eg. Plugins and then Authentication is failing? Or is everything loaded at the same time when the administration block is composed and rendered?? (See example of the so called XHR Request: http://developer.yahoo.com/yui/examples/treeview/dynamic_tree.html)

If loading dynamically, is there an apache-setting needed I have missed?

Rosario


Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
Hi Rosario,

it looks like Suhoshin is preventing Moodle from raising the memory limit to 96MB in lib/setuplib.php (line 905). This may be the reason why certains things are missing in the output (I'm not 100% sure, but it's a real possibility).

While you may get the same alert in 1.9.12+, it may happen that that version never really needs more memory than the limit imposed by Suhoshin, while 2.0.x actually needs it.

Find your Suhoshin config file (in Debian/Ubuntu it's under /etc/php5/conf.d/suhosin.ini) and raise the memory limit there (parameter 'suhosin.memory_limit'). You might need to restart the web service for the changes to make effect. I'd raise it to a generous limit (say 256MB) to confirm/deny this is actually the root of the problem, and then try to find a lower limit that is suitable for your installation.

Saludos.
Iñaki.
Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Oh, I'm running on SUSE SLES 11 SP1

So it is here (like Debian):

/etc/php5/conf.d # ls -l suho*
-rw-r--r-- 1 root root 20253 Jun  1 15:35 suhosin.ini

The parameter is actually commented out, so if I read correctly, this means that there should be no limit anyway, unless you comment in and set it to 0 or any other limit, but you are the expert. So let me know if I should enable the setting and set it to 256MB:

; As long scripts are not running within safe_mode they are free to change the
; memory_limit to whatever value they want. Suhosin changes this fact and
; disallows setting the memory_limit to a value greater than the one the script
; started with, when this option is left at 0. A value greater than 0 means
; that Suhosin will disallows scripts setting the memory_limit to a value above
; this configured hard limit. This is for example usefull if you want to run
; the script normaly with a limit of 16M but image processing scripts may raise
; it to 20M.
;suhosin.memory_limit = 0

Rosario

Edit: I just tested with this new setting on and 256MB, but no avail. Did only an apache2 (graceful) reload as RESTART is not possible at the moment, and the error persists:

[Thu Jul 07 14:47:02 2011] [error] [client 87.102.196.145] ALERT - script tried to increase memory_limit to 100663296 bytes which is above the allowed value (attacker '87.102.196.145', file '/moodleRoot/lib/setuplib.php', line 80), referer: https://moodle.fhnw.ch/user/view.php?id=13006&course=1

And the apache access-log shows correctly:

10.234.2.18 - - [07/Jul/2011:14:44:04 +0200] "GET /moodleTest2/admin/settings.php?section=manageauths HTTP/1.1" 200 18892

Next step would be to enable as much debug-info in the admin block itself to see what goes wrong.

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

I just made a new CVS update to version Moodle 2.0.3+ (Build: 20110701) but it did not help either.

So I am going to debug the administration-block code. Lets hope.

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

Ahhaaa, we are on the right track at least:

Fatal error: Allowed memory size of 41943040 bytes exhausted (tried to allocate 4864 bytes) in /moodleRoot/auth/shibboleth/auth.php on line 336

But I was not able to SWITCH ON this type of authorization yet. So I think it should be disabled by default and should not harm when I access manageauths...

Any hints on how to allocate more memory? I just did a restart of apache to load the new suhosin setting. But I still do not get the whole list of auth-plugins.

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

With https://moodle.fhnw.ch/moodleTest2/admin/auth_config.php?auth=ldap and ...auth=shibboleth I succeed in configuring all my needed settings. In the mysql-DB I can see that the settings were correctly saved. And upon returning to those pages I can read all settings retrieved from the DB.

But I can still not see, nor enable the missed auth plugins. So is there another hack to ENABLE the plugins directly in the Database?

Rosario

Average of ratings: -
In reply to Iñaki Arenaza

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Rosario Carcò -

OK, FINALLY I DID it, I raised the 40M Limit in php5.ini rather than in suhosin.ini

My fist attempt may have failed because I typed in 256MB instead of 256M

The Moodle advice was to set 8M for 1.5 and 40M for Versions >= 1.8 What is it now for 2.x ?

Rosario

Average of ratings: -
In reply to Rosario Carcò

Re: LDAP taking over 60 seconds to authenticate in Moodle 2.0.2

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Peer reviewers Picture of Plugin developers
I'm glad you finally fixed it!

I think that if you don't set a limit especifically in suhoshin.ini, it takes de php.ini limit by default.

With respect to what's the advice for 2.x, I've seen several numbers floating around (64MB, 96MB, etc.), but given that setuplib.php tries to raise it to 96MB (that's the number Suhoshin shows in the logs) I suspect that's a good choice for normal installs.

Anyway, that number depends a lot on the size of your install and the size of your activities. Backups may require more memory than that temporarily (as well as restores) and large complex quizzes may require it too. Upgrades also tend to require more memory

Looking at the code, it tries to set the limit to 96MB for 32bit installs, and 128MB for 64 bits installs (this usually needs more memory), and 256MB/384MB for upgrades and cron jobs.

The memory limit can be temporarily raised by calling init_set(), if the function is not disabled in php config or if you don't enforce it with suhoshin or similar tools. This is why most people don't notice any problem even if their php.ini imposes lower limits.

Saludos.
Iñaki.
Average of ratings: -