https://issues.apache.org/bugzilla/show_bug.cgi?id=52790
Bug #: 52790
Summary: ldap caching not sufficient
Product: Apache httpd-2
Version: 2.2.16
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_authnz_ldap
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
I am trying to connect a Subversion on Apache to an LDAP server. Unfortunately,
the LDAP server does not like many requests for the same user, and returns
[Tue Feb 28 18:21:46 2012] [info] [client 10.0.0.1] [18717] auth_ldap
authenticate: user philipp authentication failed; URI /cgi-bin/anon.pl [LDAP:
ldap_simple_bind_s() failed][Administrative limit exceeded]
when it thinks that it have been too many requests.
The problem on the other side is that Subversion does an HTTP request for every
single file, and I have a repository with approximately 1 million files in it,
so every operation can result in a lot of HTTP requests with the same user.
The amount of different users that are authenticating to my application is
rather low, I have about 3 power-users, and up to 100 users that are using it
sporadically (once per month or less often)
I have configured the cache like this:
LDAPSharedCacheSize 3000000
LDAPCacheEntries 1024
LDAPCacheTTL 600000
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600000
LDAPSharedCacheFile /var/cache/apache2/ldap.cache
The shared cache file is created properly, and the cache seems the be working,
but it does not seem to really cache the authentication requests.
When I do approximately 30 requests, I am getting those statistics:
LDAP Cache Information
Cache Name Entries Avg. Chain Len. Hits Ins/Rem Purges Avg
Purge Time
LDAP URL Cache 1 (0% full) 1.0 30/31 97% 1/0 (none) 0ms
ldaps://ldap.intranet/ou=people,dc=eu?uid (Searches) 1 (0% full) 1.0
30/62 48% 25/24 (none) 0ms
ldaps://ldap.intranet/ou=people,dc=eu?uid (Compares) 0 (0% full) 0.0
0/0 100% 0/0 (none) 0ms
ldaps://ldap.intranet/ou=people,dc=eu?uid (DNCompares) 0 (0% full) 0.0
0/0 100% 0/0 (none) 0ms
The LDAP URL Cache seems to fully cache all the requests, but the Searches only
cache 50%, so for every Hit, it still does one LDAP query.
Is it possible to also cache the authentication requests? I do not see why
repeated requests for exactly the same URL with exactly the same username and
password need additional LDAP requests, I think they should be cached instead.
My Subversion config:
AuthzSVNAccessFile /etc/apache2/dav_svn.authz
AuthLDAPURL ldaps://ldap.intranet/ou=people,dc=eu?uid
AuthLDAPBindDN "uid=technuser,ou=people,dc=eu"
Require valid-user
Order deny,allow
Deny from All
AuthName "Please enter your UserID and password"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
Satisfy any
I guess that the problem might be that Apache does not want to store
cleartext-passwords in the cache, since that can be a security issue. I would
suggest to either encrypt the cache, or to only write hashed username+password
into the cache.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
