https://issues.apache.org/bugzilla/show_bug.cgi?id=45834
Summary: Stale LDAP connections take 15+ minutes to finish
queries
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_ldap
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
I am running a RedHat 5 server to serve SVN and I am using mod_authnz_ldap for
user authentication. The server is configured correctly, I know this because
shortly after a restart the authentications occur within a reasonable amount of
time. However, I have noticed that after long periods of inactivity (say over
night) the authentication process will take approximately 15 minutes to
complete. During the time it is attempting to run the query I see through
netstat that a connection was established and there is something in the
transmit queue but for some reason it doesn't complete for 15+ minutes. The
interesting thing is that it does seem to complete. However, I'm not sure if
it is because it gives up and tries again or if that connection completes. The
log files in debug mode so very little information, basically only the request
and then some time later the user was authenticated. Through my debugging I
have noticed that the ldap module does not close the connection to the ldap
server even after long periods of no requests. Our internal network is complex
and there is a firewall sitting between our server and the LDAP server. However
the latency is relatively low (less then 85ms) and the load on the LDAP server
is minimal. I'm assuming it is intentional the connections don't close but it
may be contributing to the issue.
I have tried this on apache 2.2.3 that comes with Redhat and I have compiled
apache 2.2.9 and both show the same behavior. I have included the netstat info
and my configuration below. I am using the defaults configurations for just
about everything else.
Questions:
Is there a way to disable the mod_ldap connection pooling? I see that each
idld/spare httpd process opens and maintains a connection.
Is there a way to have mod_ldap disconnect after some period of time? I have
no insight into the firewall, it is possible it does not like the persistent
connection and is playing a factor. Ideally I would think if there was no
activity for 15 minutes or so you could disconnect.
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 138 xxx.xxx.xxx.xxx:33871 ldap.x.x:ldaps ESTABLISHED
SVN and LDAP configurations files:
LDAPCacheEntries 0
LDAPCacheTTL 600
LDAPConnectionTimeout 10
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPSharedCacheSize 10240
LDAPTrustedMode SSL
LDAPVerifyServerCert Off
<Location /svn>
DAV svn
SSLRequireSSL
# Subversion Paths
SVNParentPath <PATH TO REPOS>
SVNListParentPath on
AuthzSVNAccessFile <PATH TO SVN AUTH FILE>
# Access control policy
AuthBasicProvider ldap file
AuthzLDAPAuthoritative Off
AuthType Basic
AuthName "Repositories"
AuthLDAPBindDN XXXXXX
AuthLDAPBindPassword XXXXXX
AuthLDAPURL
"ldaps://XXXXXX.com:636/ou=XXXXXX,o=XXXXXX?uid?sub?(objectClass=*)"
AuthUserFile <PATH TO WWW AUTH FILE>
Require valid-user
</Location>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
