Bug 264681 - mod_ldap stops caching with per-vhost directive use
Summary: mod_ldap stops caching with per-vhost directive use
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd
Version: 5.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-29 18:37 UTC by Kaj J. Niemi
Modified: 2011-07-21 11:46 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 676635 (view as bug list)
Environment:
Last Closed: 2011-07-21 08:53:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1067 0 normal SHIPPED_LIVE httpd bug fix and enhancement update 2011-07-21 08:51:15 UTC

Description Kaj J. Niemi 2007-08-29 18:37:15 UTC 
Description of problem:
Web server with using mod_ldap, mod_auhtnz_ldap hits directory servers with huge amounts of 
requests instead of cacheing the reply and only querying the directory server after the cache times out.

Version-Release number of selected component (if applicable):
httpd 2.2.3-7.el5, x86_64

doesn't make a difference if one recompiles newer apr, apr-util and httpd (from rawhide) on el5 x86_64 
and tries them

How reproducible:
At least to me always on multiple systems

Steps to Reproduce:

This is isolated from production but able to reproduce at will in both environments

1. add to httpd.conf:

#
# Global LDAP stuff
#
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenca.crt
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenfica.crt
LDAPVerifyServerCert On

# values are refefaults really
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

# to check cache
<Location /ldap-status>
      SetHandler ldap-status
</Location>

#example virtualhost

<VirtualHost *:443>
    ServerName vmw-1.test.basen.net

    SSLEngine On
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile /etc/pki/tls/certs/vmw-1-test-basen-net.crt
    SSLCertificateKeyFile /etc/pki/tls/private/vmw-1-test-basen-net.key
    SSLCACertificatePath /etc/openldap/cacerts

    LDAPTrustedMode TLS

    DocumentRoot /var/www/html

    <Location />
       AuthType basic
       AuthBasicProvider ldap
       AuthBasicAuthoritative on

       AuthName "LDAP authentication"
       require ldap-attribute host=vmw-1.test.basen.net

       AuthLDAPUrl ldap://vmw-2.test.basen.net/dc=basen,dc=net?uid?sub?(objectClass=posixAccount)
       AuthzLDAPAuthoritative off
   </Location>

    <Location /repos>
        DAV svn
        SVNParentPath /data/svn-root
    
        # Require SSL connection for password protection.
        SSLRequireSSL

    </Location>
</VirtualHost>


2. Access the virtualhost URL and/or anything behind the test svn
3. Check counters on /ldap-status
4. Check the amount of searches & binds hitting the test directory server
  
Actual results:
1 hit/request

Expected results:
Per user/virtualhost/something I should only see one search, not one/reload?

Additional info:
Documentation implies it is always on unless you turn it off.

Running server in debug returns the following to STDOUT (not error_log):

[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/
cacerts/basenca.crt (type CA_BASE64)
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/
cacerts/basenfica.crt (type CA_BASE64)
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1728): LDAP: SSL verify server certificate - TRUE
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1315): [29782] ldap cache: Setting shared memory  
cache size to 200000 bytes.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1387): [29782] ldap cache: Setting search cache size 
to 1024 entries.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1363): [29782] ldap cache: Setting cache TTL to 
600000000 microseconds.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1432): [29782] ldap cache: Setting operation cache 
size to 1024 entries.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1408): [29782] ldap cache: Setting operation cache 
TTL to 600000000 microseconds.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1692): LDAP: SSL trusted mode - TLS

Clearly the settings are being acknowledged. I tried looking at the logic in mod_ldap_*.c files but got 
kind of confused on how it is really supposed to work.

Alternatively if apache is compiled without shared memory it's not supposed to work at all however the 
scoreboard is using shared memory and so is SSL cache?

Let me know if you guys need any further info, I'll be happy to debug further if I get a pointer at what to 
look at :)
Comment 1 Joe Orton 2011-02-04 16:11:12 UTC 
Sorry that this got dropped.

Per-vhost use of LDAP directives can cause this and is likely given the configuration above; we can backport the fix:

http://svn.apache.org/viewvc?rev=963086&view=rev
Comment 5 errata-xmlrpc 2011-07-21 08:53:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 6 errata-xmlrpc 2011-07-21 11:46:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Note You need to log in before you can comment on or make changes to this bug.