first authentication returns 500 code after inactivity period
I'm on debian 10, using apache 2.4 with an haproxy in front of it. LLNG is on version 2.0.12 Authentication, Users and sessions backend are all using openldap CAS service as ticket provider is enabled
When I leave SSO without activity for I would say around 3h or 4h, the first authentication try will return 500 "Error occurs on the server". I looked at my openldap logs, the LLNG account does multiple binds in order to get lemonldapng configuration, but did not look for the user trying to authenticate as it should. Then I think the issue is not related to openldap. Here are my apache logs:
[Wed Mar 17 09:12:33.247199 2021] [fcgid:warn] [pid 3939] [client 22.214.171.124:0] mod_fcgid: error reading data, FastCGI server closed connection, referer: https://auth.domain.fr/?cancel=1 [Wed Mar 17 09:12:33.247445 2021] [core:error] [pid 3939] [client 126.96.36.199:0] End of script output before headers: index.fcgi, referer: https://auth.domain.fr/?cancel=1 [Wed Mar 17 09:12:36.291844 2021] [fcgid:error] [pid 31329] mod_fcgid: process /usr/share/lemonldap-ng/portal/htdocs/index.fcgi(31497) exit(communication error), get unexpected signal 13
debug logs look very normal compared to when an authentication works.
I tried to bypass haproxy to be sure the issue was not related to it and I can reproduce.
After this first unsuccessful authentication, all the next will work perfectly.
I first gave a look to #2455 and #1807 (closed). I applied keepalived timeout and idletimeout as suggested but it seems it has no effect. Which looks normal as I have no network facilities in between my VMs.
As workaround I set some wget/curl commands in order to initiate an authentication every 2h, but I need to dig this and use proper library because of the token generation (would you have a way to do so easily ?). I also use the command line interface and I can collect the session without any trouble, you probably hit the backend server directly using this CLI.
Thanks for your help.