I've got a question about the effect on ldap authentication on Apache
of an LDAP server applying idle timeouts to close connections.
It appears from some emperical evidence that the ldap authentication
module that comes with Apache 2.0.54 makes bad use of the ldap
connection pool: it tends to slowly build up unused connections over time.
This tendency isn't so severe as to render it useless in the short
term, but we've seen a server that wasn't HUPed daily build up about
700 idle LDAP connections, with last used times spanning many days.
This represents a resource drain on both the LDAP server and client
Apache system.
Ultimately, I think mod_ldap ought to have configurable limits on the
ldap connection pool and do some kind of active garbage collection.
But that's not my question today.
We are using Sun directory server 5.2 as our production LDAP server.
It has a parameter to set an idle timeout. This could be a quick fix
for reclaiming idle connections, with no changes needed to Apache.
(I'd prefer start with timeout values in the range of 10-20 minutes.
Log tracking suggests that Sun replication on our severs has a max
idle time of just over 5 min. So using more than 5 min is safer.)
However, the LDAP protocol is more stateful that HTTP, and wasn't
really designed around the notion that either end may hang up at any
time, like HTTP 1.1. So I'm not sure this has no side effects.
Specifically, I want to know what will happen to the Apache LDAP
connection pool, if the LDAP server closes the socket. Is the pool
code smart enough to not try to use a closed connection, or is it
possible it will try to reuse a dead connection, leading to an error
and a bogus authetication failure?
I haven't been able to figure out a good way to test this, (though
I've done some other testing of mod_auth_ldap to check prior bug
fixes.)
It seems possible this would be most likely to cause errors on a
server that is lightly loaded. This would have long idle times even
on "real" connections that aren't the victims of silly caching.
It's possible the answer might differ in the revamped authentication
modules of 2.1/2.2; I'd be interested to know if that is the case.
--
Albert Lunde Albert-Lunde@xxxxxxxxxxxxxxxx
atlunde@xxxxxxxxx (new address for personal mail)
Albert-Lunde@xxxxxxx (old address)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|