You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Joseph Dane <jd...@hawaii.edu> on 2004/05/22 04:19:45 UTC

mod_ldap maybe feature request

since I've seen several LDAP related messages in the past few days, I
might as well unburden myself of a feature request I've had in mind.
I'm just looking for feedback as to whether or not this is a good
idea.

essentially, I'd like to be able to set a maximum lifetime for a
persitent LDAP connection.  an approximation of this would be to
record the time at which a connection was first made, and on
recycling the connection first check if that time was >N seconds ago,
and unbind/rebind if so.

I can describe the situation that caused me to ask for this, if
anyone is interested.

-- 

joe

Re: mod_ldap maybe feature request

Posted by Jess Holle <je...@ptc.com>.

Graham Leggett wrote:

> Paul Querna wrote:
>
>> This would be an interesting application of the AuthN framework stuff in
>> 2.1.0.  It is much easier to setup fallback authentication stuff.
>>
>> Speaking of that, Is there any reason mod_auth_ldap hasn't been moved
>> over to the AuthN/Z Framework?
>
>
> I think partly because nobody has stepped up to the plate to do it, 
> and partly because I think it wants to be out of experimental first.
>
> The authn/z framework is a big change to the code, which makes it 
> difficult to create patches for v2.0. It would be good to see 
> auth_ldap nailed down and out the door 2.0 wise before it gets the 
> authn/z treatment.
>
> I am in the process of testing two segfault fixes, which in theory 
> should nail the last of the segfault problems. Once these issues are 
> put to bed, I'll propose it be moved out of experimental...
>
> Regards,
> Graham

As much as I want to see the multiple (distinct, i.e. not just 
high-availability clones) LDAP feature, I strongly agree with Graham.  
The LDAP module's existing functionality should be stable prior to 
taking on any ambitious new features.

--
Jess Holle

Re: mod_ldap maybe feature request

Posted by Graham Leggett <mi...@sharp.fm>.

Paul Querna wrote:

> This would be an interesting application of the AuthN framework stuff in
> 2.1.0.  It is much easier to setup fallback authentication stuff.
> 
> Speaking of that, Is there any reason mod_auth_ldap hasn't been moved
> over to the AuthN/Z Framework?

I think partly because nobody has stepped up to the plate to do it, and 
partly because I think it wants to be out of experimental first.

The authn/z framework is a big change to the code, which makes it 
difficult to create patches for v2.0. It would be good to see auth_ldap 
nailed down and out the door 2.0 wise before it gets the authn/z treatment.

I am in the process of testing two segfault fixes, which in theory 
should nail the last of the segfault problems. Once these issues are put 
to bed, I'll propose it be moved out of experimental...

Regards,
Graham
--

Re: mod_ldap maybe feature request

Posted by Paul Querna <ch...@force-elite.com>.

On Sun, 2004-05-23 at 15:28 -0500, Jess Holle wrote:
> Actually the repeated one I hear is:
>         Can we have a single resource / URL pattern authencticated
>         against multiple LDAPs (e.g. A, B, C,...) such that if user U
>         is not defined in A, B will be searched, and so forth.  The
>         first LDAP containing an entry found for the user would be
>         bound against and determine pass / fail.
> As I understand it, this is not currently possible.
> 
This would be an interesting application of the AuthN framework stuff in
2.1.0.  It is much easier to setup fallback authentication stuff.

Speaking of that, Is there any reason mod_auth_ldap hasn't been moved
over to the AuthN/Z Framework?

-Paul Querna

Re: mod_ldap maybe feature request

Posted by Jess Holle <je...@ptc.com>.

Actually the repeated one I hear is:

    Can we have a single resource / URL pattern authencticated against
    multiple LDAPs (e.g. A, B, C,...) such that if user U is not defined
    in A, B will be searched, and so forth.  The first LDAP containing
    an entry found for the user would be bound against and determine
    pass / fail.

As I understand it, this is not currently possible.

--
Jess Holle

Re: mod_ldap maybe feature request

Posted by Joseph Dane <jd...@hawaii.edu>.

Graham Leggett <mi...@sharp.fm> writes:

> This bug describes something similar:
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23548

that is indeed quite similar, but not exactly the same.

in that bug, LDAP connections end up in CLOSE_WAIT, probably because
the LDAP server has decided to close the connection, but the apache
child hasn't noticed yet.

> Apparently the apr_reslist functions are the solution for this in apr-util.
>
> The new code does check for errors properly (in theory), so if a
> connection has timed out, it will gracefully disconnect/cleanup that
> connection before trying to use it again, which might solve
> potentional problems you're having.

that would work fine, I think, as long as the timeout calculation
could be done on the apache side.  that is, do not rely on the LDAP
server timing out and handling the reconnect when apache notices that
the connection has been closed.

my problem was that I had a device that turned an apparently valid
TCP connection into a tarpit.  the LDAP server might decide to close
a given connection after 60 minutes, but this device would, after 45
minutes (say) decide to drop the connection, and would do so in a way
(by dropping frames on the floor) that was undetectable by apache.

so it's hard for me to claim that this is a bug in apache, of
course.  and in our case, the problem was solved by having the LDAP
server close the connection sooner, before the device did its evil
business.

still, it would seem to me to be a useful configuration tool to be
able to say something like "don't keep connections to the LDAP server
open longer than N seconds", or something approximating that, anyhow.

-- 

joe

Re: mod_ldap maybe feature request

Posted by Graham Leggett <mi...@sharp.fm>.

Joseph Dane wrote:

> essentially, I'd like to be able to set a maximum lifetime for a
> persitent LDAP connection.  an approximation of this would be to
> record the time at which a connection was first made, and on
> recycling the connection first check if that time was >N seconds ago,
> and unbind/rebind if so.
> 
> I can describe the situation that caused me to ask for this, if
> anyone is interested.

This bug describes something similar: 
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23548

Apparently the apr_reslist functions are the solution for this in apr-util.

The new code does check for errors properly (in theory), so if a 
connection has timed out, it will gracefully disconnect/cleanup that 
connection before trying to use it again, which might solve potentional 
problems you're having.

Regards,
Graham
--