This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 264681 - mod_ldap stops caching with per-vhost directive use
mod_ldap stops caching with per-vhost directive use
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-29 14:37 EDT by Kaj J. Niemi
Modified: 2011-07-21 07:46 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 676635 (view as bug list)
Environment:
Last Closed: 2011-07-21 04:53:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kaj J. Niemi 2007-08-29 14:37:15 EDT
Description of problem:
Web server with using mod_ldap, mod_auhtnz_ldap hits directory servers with huge amounts of 
requests instead of cacheing the reply and only querying the directory server after the cache times out.

Version-Release number of selected component (if applicable):
httpd 2.2.3-7.el5, x86_64

doesn't make a difference if one recompiles newer apr, apr-util and httpd (from rawhide) on el5 x86_64 
and tries them

How reproducible:
At least to me always on multiple systems

Steps to Reproduce:

This is isolated from production but able to reproduce at will in both environments

1. add to httpd.conf:

#
# Global LDAP stuff
#
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenca.crt
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/basenfica.crt
LDAPVerifyServerCert On

# values are refefaults really
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

# to check cache
<Location /ldap-status>
      SetHandler ldap-status
</Location>

#example virtualhost

<VirtualHost *:443>
    ServerName vmw-1.test.basen.net

    SSLEngine On
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile /etc/pki/tls/certs/vmw-1-test-basen-net.crt
    SSLCertificateKeyFile /etc/pki/tls/private/vmw-1-test-basen-net.key
    SSLCACertificatePath /etc/openldap/cacerts

    LDAPTrustedMode TLS

    DocumentRoot /var/www/html

    <Location />
       AuthType basic
       AuthBasicProvider ldap
       AuthBasicAuthoritative on

       AuthName "LDAP authentication"
       require ldap-attribute host=vmw-1.test.basen.net

       AuthLDAPUrl ldap://vmw-2.test.basen.net/dc=basen,dc=net?uid?sub?(objectClass=posixAccount)
       AuthzLDAPAuthoritative off
   </Location>

    <Location /repos>
        DAV svn
        SVNParentPath /data/svn-root
    
        # Require SSL connection for password protection.
        SSLRequireSSL

    </Location>
</VirtualHost>


2. Access the virtualhost URL and/or anything behind the test svn
3. Check counters on /ldap-status
4. Check the amount of searches & binds hitting the test directory server
  
Actual results:
1 hit/request

Expected results:
Per user/virtualhost/something I should only see one search, not one/reload?

Additional info:
Documentation implies it is always on unless you turn it off.

Running server in debug returns the following to STDOUT (not error_log):

[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/
cacerts/basenca.crt (type CA_BASE64)
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1563): LDAP: SSL trusted global cert - /etc/openldap/
cacerts/basenfica.crt (type CA_BASE64)
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1728): LDAP: SSL verify server certificate - TRUE
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1315): [29782] ldap cache: Setting shared memory  
cache size to 200000 bytes.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1387): [29782] ldap cache: Setting search cache size 
to 1024 entries.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1363): [29782] ldap cache: Setting cache TTL to 
600000000 microseconds.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1432): [29782] ldap cache: Setting operation cache 
size to 1024 entries.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1408): [29782] ldap cache: Setting operation cache 
TTL to 600000000 microseconds.
[Wed Aug 29 18:35:06 2007] [debug] util_ldap.c(1692): LDAP: SSL trusted mode - TLS

Clearly the settings are being acknowledged. I tried looking at the logic in mod_ldap_*.c files but got 
kind of confused on how it is really supposed to work.

Alternatively if apache is compiled without shared memory it's not supposed to work at all however the 
scoreboard is using shared memory and so is SSL cache?

Let me know if you guys need any further info, I'll be happy to debug further if I get a pointer at what to 
look at :)
Comment 1 Joe Orton 2011-02-04 11:11:12 EST
Sorry that this got dropped.

Per-vhost use of LDAP directives can cause this and is likely given the configuration above; we can backport the fix:

http://svn.apache.org/viewvc?rev=963086&view=rev
Comment 5 errata-xmlrpc 2011-07-21 04:53:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 6 errata-xmlrpc 2011-07-21 07:46:00 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html

Note You need to log in before you can comment on or make changes to this bug.