Graham Leggett wrote:
Jess Holle said:We've not seen incorrect results, but "slow it down" is an understatement -- such requests take so long that the user believes the server is hung.
I've not had a chance to try the LDAP connection timeout patch, but my
biggest remaining issue (besides the multiple-LDAP enhancement) is that
of firewall treatment. If there is a firewall between Apache and LDAP
(quite common) and if this firewall drops idle connections (also quite
common), then it can drop Apache's cached LDAP connections -- and Apache
2 (at least without the connection timeout patch) does not handle this
well. If the connection timeout patch suffices, then I could honestly
say Apache LDAP is stable and ready for enhancements again.
I did see bnicholes commit something which addressed a missing cleanup if a lookup failed through a bad connection.
Can you test the latest SVN trunk and see if the problem is still there?
The LDAP stuff should still "do the right thing" even if LDAP connections
are timing out and not closed down correctly. The only side effect of not
having the timeout patch should be connections hanging around (in itself a
bad thing) - it should never cause the LDAP stuff to give an incorrect
result, although it might slow it down.
This same issue affects mod_jk as well unless one config options provided therein to workaround it. [In this case the typical approach is to change the server's socket keep alive heartbeat interval to less than the firewall timeout and to set a mod_jk option for it to set the keep alive option on its sockets.]
-- Jess Holle
