I'm noticing a number of serious issues with util_ldap in Apache 2.0.51
on Windows:
- If you use what used to be safe "I don't trust the cache" config
parameters as follows, you get an immediate crash (due to a null mutex).
LDAPCacheEntries 0
LDAPOpCacheEntries 0
LDAPSharedCacheSize 0
- There are now many cases wherein Apache will *hang* when the
number of unique users that have authenticated against LDAP exceeds
LDAPCacheEntries. In the *best* case, both the worker and parent
process will crash. It used to be that only the worker process would
crash -- thus allowing the parent to start a new worker and not result
in the server being dead in the water.
- There are some strange bits here:
- Using 1 for LDAPCacheEntries, LDAPOpCacheEntries, and
LDAPSharedCacheSize allows
for a seemingly unlimited number of unique user logins! This is
inexplicable. It would seem a nice workaround, but I need to support
existing configurations "as is", e.g. the 0,0,0 config above.
- There are *some* cases where Apache can service many unique
authenticated users beyond LDAPCacheEntries, but there are very hard to
predict. For example, LDAPCacheEntries of 2150, LDAPOpCacheEntries of
1 [this at least used to cause a crash if this was 0 and
LDAPCacheEntries was non-zero], LDAPSharedCacheSize of 865000, and
setting LDAPSharedCacheFile allows at least 2500 (my current LDAP data
set size) unique authenticated users. Yet if I increase
LDAPSharedCacheSize, which should seemingly make no difference, Apache
will crash *much* earlier.
- Starting Apache with LDAP cachinng enabled (e.g. with the
configuration in the last bullet) now results in a crash on shutdown in
apr_rmm_addr_get() [rmm->base is null]. This occurs even if no
requests were made since startup.
Overall, given the security and non-LDAP fixes in 2.0.51, I am now left
pondering whether I should move try backing the LDAP modules back to
2.0.50 while keeping all other 2.0.51 code. Ideas? Also, Windows is
only the first platform I've tested. I also have to work out Solaris
and AIX. Thus if these work better, I may end up keeping the 2.0.51
LDAP code there...
I get the ugly feeling I should have tested all of this earlier in the
2.0.51 cycle, but I was busy at the time.
All in all, LDAP does not appear to be a happy camper on 2.0.51 on
Windows.
--
Jess Holle
[EMAIL PROTECTED]
|