Bug 264681
| Summary: | mod_ldap stops caching with per-vhost directive use | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Kaj J. Niemi <kajtzu> | |
| Component: | httpd | Assignee: | Joe Orton <jorton> | |
| Status: | CLOSED ERRATA | QA Contact: | ||
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 5.0 | |||
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 676635 (view as bug list) | Environment: | ||
| Last Closed: | 2011-07-21 08:53:39 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Sorry that this got dropped. Per-vhost use of LDAP directives can cause this and is likely given the configuration above; we can backport the fix: http://svn.apache.org/viewvc?rev=963086&view=rev An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1067.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1067.html |
Description of problem: Web server with using mod_ldap, mod_auhtnz_ldap hits directory servers with huge amounts of requests instead of cacheing the reply and only querying the directory server after the cache times out. Version-Release number of selected component (if applicable): httpd 2.2.3-7.el5, x86_64 doesn't make a difference if one recompiles newer apr, apr-util and httpd (from rawhide) on el5 x86_64 and tries them How reproducible: At least to me always on multiple systems Steps to Reproduce: This is isolated from production but able to reproduce at will in both environments 1. add to httpd.conf: # # Global LDAP stuff # LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenca.crt LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenfica.crt LDAPVerifyServerCert On # values are refefaults really LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600 # to check cache <Location /ldap-status> SetHandler ldap-status </Location> #example virtualhost <VirtualHost *:443> ServerName vmw-1.test.basen.net SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/pki/tls/certs/vmw-1-test-basen-net.crt SSLCertificateKeyFile /etc/pki/tls/private/vmw-1-test-basen-net.key SSLCACertificatePath /etc/openldap/cacerts LDAPTrustedMode TLS DocumentRoot /var/www/html <Location /> AuthType basic AuthBasicProvider ldap AuthBasicAuthoritative on AuthName "LDAP authentication" require ldap-attribute host=vmw-1.test.basen.net AuthLDAPUrl ldap://vmw-2.test.basen.net/dc=basen,dc=net?uid?sub?(objectClass=posixAccount) AuthzLDAPAuthoritative off </Location> <Location /repos> DAV svn SVNParentPath /data/svn-root # Require SSL connection for password protection. SSLRequireSSL </Location> </VirtualHost> 2. Access the virtualhost URL and/or anything behind the test svn 3. Check counters on /ldap-status 4. Check the amount of searches & binds hitting the test directory server Actual results: 1 hit/request Expected results: Per user/virtualhost/something I should only see one search, not one/reload? Additional info: Documentation implies it is always on unless you turn it off. Running server in debug returns the following to STDOUT (not error_log): [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/ cacerts/basenca.crt (type CA_BASE64) [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/ cacerts/basenfica.crt (type CA_BASE64) [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1728): LDAP: SSL verify server certificate - TRUE [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1315): [29782] ldap cache: Setting shared memory cache size to 200000 bytes. [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1387): [29782] ldap cache: Setting search cache size to 1024 entries. [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1363): [29782] ldap cache: Setting cache TTL to 600000000 microseconds. [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1432): [29782] ldap cache: Setting operation cache size to 1024 entries. [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1408): [29782] ldap cache: Setting operation cache TTL to 600000000 microseconds. [Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1692): LDAP: SSL trusted mode - TLS Clearly the settings are being acknowledged. I tried looking at the logic in mod_ldap_*.c files but got kind of confused on how it is really supposed to work. Alternatively if apache is compiled without shared memory it's not supposed to work at all however the scoreboard is using shared memory and so is SSL cache? Let me know if you guys need any further info, I'll be happy to debug further if I get a pointer at what to look at :)