Bug 165108 - authz ldap cache and connection cache do not work
authz ldap cache and connection cache do not work
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mod_authz_ldap (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2005-08-04 09:38 EDT by James R Grinter
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 14:56:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James R Grinter 2005-08-04 09:38:08 EDT
Description of problem:

The cache (AuthzLDAPCacheSize) and connection cache (AuthzLDAPCacheConnection) 
settings do not appear to function.

Version-Release number of selected component (if applicable):
(with openldap-2.0.27-17)

How reproducible:
Every Time

Steps to Reproduce:

1. Set up the Apache configuration using AuthzLDAP:

<Directory "/home/web/docs/protected">
  AuthzLDAPEngine on
  AuthzLDAPServer ldap-server
  AuthzLDAPUserBase "o=organisation.com"
  AuthzLDAPUserKey uid
  AuthzLDAPUserScope subtree
  AuthzLDAPCacheConnection on
  AuthzLDAPCacheSize 64

  AuthType basic
  AuthName "protected website"
  require valid-user
  Order deny,allow
  Allow from all

2. Access AuthzLDAP protected resources a number of times in succession.

Actual results:

3. Observe in your LDAP server logs that each HTTP request results in a BIND 
operation on the server (meaning no user cache) and each is on a new TCP 
connection (meaning no TCP connection cache either)

[04/Aug/2005:11:19:41 +0100] conn=1178 op=0 BIND 
dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3
[04/Aug/2005:11:19:41 +0100] conn=1179 op=0 BIND 
dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3
[04/Aug/2005:11:19:41 +0100] conn=1183 op=0 BIND 
dn="uid=myuser,ou=people,l=EU,o=organisation.com" method=128 version=3

(and so on. This goes on for far more than three BIND operations, spread over 
adjacent seconds and minutes of log entries such that it becomes very clear 
there is no caching of connections or authentication information taking place.)

Also observe the error messages logged in the httpd error_log file:

[Thu Aug 04 11:19:41 2005] [error] [client] [3013] cannot allocat
e memory for ldap cache, referer:
[Thu Aug 04 11:19:41 2005] [error] [client] [3013] cannot allocat
e memory for ldap cache, referer:
[Thu Aug 04 11:19:41 2005] [error] [client] [3013] cannot allocat
e memory for ldap cache, referer:

Expected results:

There should have been only one BIND operation within any reasonable time 
window for a given user id.

Additional info:

From looking through the code for mod_authz_ldap, it becomes clear that the 
logged error is recorded if the LDAP API routine ldap_enable_cache() returns 
failure. In turn, from looking at OpenLDAP SRPM and code, it would appear that 
this is because the feature is not enabled in the openldap build on RHEL3.

(I thought it would be easier to log the initial reproducible bug against the 
mod_authz_ldap component rather than directly against the openldap component, 
lest someone say "oh, but that's just an experimental feature of OpenLDAP."

I'd just like LDAP authentication for Apache to be of sufficient speed for 
production use instead of it also adversely affecting performance of our LDAP 
Comment 1 RHEL Product and Program Management 2007-10-19 14:56:33 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.