Description of problem: The cache (AuthzLDAPCacheSize) and connection cache (AuthzLDAPCacheConnection) settings do not appear to function. Version-Release number of selected component (if applicable): mod_authz_ldap-0.22-5 (with openldap-2.0.27-17) How reproducible: Every Time Steps to Reproduce: 1. Set up the Apache configuration using AuthzLDAP: <Directory "/home/web/docs/protected"> ... AuthzLDAPEngine on AuthzLDAPServer ldap-server AuthzLDAPUserBase "o=organisation.com" AuthzLDAPUserKey uid AuthzLDAPUserScope subtree AuthzLDAPCacheConnection on AuthzLDAPCacheSize 64 AuthType basic AuthName "protected website" require valid-user Order deny,allow Allow from all </Directory> 2. Access AuthzLDAP protected resources a number of times in succession. Actual results: 3. Observe in your LDAP server logs that each HTTP request results in a BIND operation on the server (meaning no user cache) and each is on a new TCP connection (meaning no TCP connection cache either) [04/Aug/2005:11:19:41 +0100] conn=1178 op=0 BIND dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3 [04/Aug/2005:11:19:41 +0100] conn=1179 op=0 BIND dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3 [04/Aug/2005:11:19:41 +0100] conn=1183 op=0 BIND dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3 (and so on. This goes on for far more than three BIND operations, spread over adjacent seconds and minutes of log entries such that it becomes very clear there is no caching of connections or authentication information taking place.) Also observe the error messages logged in the httpd error_log file: [Thu Aug 04 11:19:41 2005] [error] [client 192.168.44.14] [3013] cannot allocat e memory for ldap cache, referer: http://192.168.44.112/scripts/menu.cgi [Thu Aug 04 11:19:41 2005] [error] [client 192.168.44.14] [3013] cannot allocat e memory for ldap cache, referer: http://192.168.44.112/scripts/menu.cgi [Thu Aug 04 11:19:41 2005] [error] [client 192.168.44.14] [3013] cannot allocat e memory for ldap cache, referer: http://192.168.44.112/scripts/menu.cgi Expected results: There should have been only one BIND operation within any reasonable time window for a given user id. Additional info: From looking through the code for mod_authz_ldap, it becomes clear that the logged error is recorded if the LDAP API routine ldap_enable_cache() returns failure. In turn, from looking at OpenLDAP SRPM and code, it would appear that this is because the feature is not enabled in the openldap build on RHEL3. (I thought it would be easier to log the initial reproducible bug against the mod_authz_ldap component rather than directly against the openldap component, lest someone say "oh, but that's just an experimental feature of OpenLDAP." I'd just like LDAP authentication for Apache to be of sufficient speed for production use instead of it also adversely affecting performance of our LDAP servers.)
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.