You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/09/29 18:30:30 UTC
DO NOT REPLY [Bug 40644] New: - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
Summary: mod_authnz_ldap or mod_ldap does not reuse ldap
connexions
Product: Apache httpd-2
Version: 2.2.2
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P1
Component: mod_authn_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: jp@dionne.biz
While using mod_authnz_ldap to manage directory access, apache doesn't seems to
reuse existing ldap connections and keeps opening new ones.
It will open has many connexions as .htaccess (or <Directory> tags)in
subdirectories. The connexions will remain opened indefinitly.
To reproduce:
<Directory /var/www/dav>
Options Indexes FollowSymLinks MultiViews
AuthLDAPURL ldap://192.168.123.123/ou=asdf,dc=example,dc=com?cn?one
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
AuthType Basic
AuthName "DAV"
Require valid-user
Dav on
</Directory>
Subdirectories of /var/www/dav have a .htaccess with the single line:
Require ldap-user username
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From ryan@sourcelabs.com 2006-10-03 10:29 -------
Which LDAP server(s) are you using?
Can you attach log snippets?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From jp@dionne.biz 2006-10-05 13:07 -------
If I replace the trylock by a lock , the connection count stop to increase.
Konqueror with webdav:// url will generate multiple PROPFIND requests which will
make the trylock to fail multiple time in a row causing new ldap connection to
be created.
Any better solution?
Is it possible to cache the binddn and bindpw information?
When does the ldap connection pool cleanup occur?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From bnicholes@apache.org 2006-10-02 11:15 -------
I am unable to reproduce this problem. It is true that once a new ldap
connections is establish, it will remain indefinitly (which is by design), but
I am not seeing a connection per user. My tests are showing that the
connections in the pool are being reused.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From jp@dionne.biz 2006-10-03 14:21 -------
The number of connection does not always increase on every http request.
We use only one openldap server from fedora core 5 : 2.3.19-4 on AMD x86_64
We found one simplest way to make the connections increase gradually:
- With two different browsers (konqueror and firefox), list the root directory
with two different user credentials.
- Count the number of ldap connections with: lsof -p $(pgrep httpd | xargs echo
| sed 's/\ /,/g') | grep ldap | grep ESTABLISHED | wc
- keep refreshing the pages of the two browsers.
You will notice the count of connections will increase gradually. At some point
it will increase by the number of subdirectories with .htaccess. It will
eventually DOS the ldap server with a large number of subdirectories.
We also reproduced the bug with an httpd compiled from source with:
./configure --prefix=/opt/apache-2.2.2 --with-ldap --enable-dav --enable-dav-fs
--enable-dav-lock --enable-authnz-ldap --enable-ldap
Our ldap server is on the same ethernet lan.
By the way bug 40639 is a duplicate of this bug, not bug 40640 .
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From bnicholes@apache.org 2006-10-04 16:09 -------
(In reply to comment #6)
> In uldap_connection_find() if we log the decision to create a new connexion
at module/ldap/ldap_util.c:512 , here's what the log looks like:
You need to get more information here. Rather than just logging a message
that states that a new connection is being created, you need to log why it
failed the two previous if statements where it was searching for an existing
connection. Did it fail because there weren't any connections available? In
other words, the the trylock() fail? Or because the criteria didn't match?
> By the way we don't know how to avoid the "require directives present and no
> Authoritative handler" error message.
You need to add AuthzLDAPAuthoritative ON to your configuration.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
jp@dionne.biz changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |INVALID
------- Additional Comments From jp@dionne.biz 2006-10-06 07:43 -------
(In reply to comment #10)
> multiple connections in a multi-threaded environment. You would serialize
> everthing on a single connection.
You are right. I have mistaken binddn and binpw with the user dn and password
used for authentication. I was expecting to serialize the requests by user not
for all users.
> If you are referring to the user names
> and passwords that are passed in by the user for authentication, those are
> already cached in an entirely different area of the code. But that is a
> completely different issue that has nothing to do with the ldap connection
> pool.
I was indeed refering to this. Thank you very for much for you help. This bug
can be marked as invalid.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From rpluem@apache.org 2006-10-03 14:57 -------
(In reply to comment #3)
> You will notice the count of connections will increase gradually. At some point
> it will increase by the number of subdirectories with .htaccess. It will
Does this also happen with no .htacess files present / AllowOverride set to None
for all directories?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From rpluem@apache.org 2006-10-03 14:52 -------
*** Bug 40639 has been marked as a duplicate of this bug. ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From jp@dionne.biz 2006-10-05 13:03 -------
Created an attachment (id=18967)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=18967&action=view)
uldap_connection_find trylock patch
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From jp@dionne.biz 2006-10-04 13:09 -------
With no .htaccess in the subdirectories and one .htaccess with one require
ldap-user at the root, the connexion count does reach about 16 connections.
We also did the test of replacing every .htacces with a <Directory> tag in
httpd.conf and we encounter the same behaviour: with 100 directory tag, the
connection count increase suddenly to a hundred.
In uldap_connection_find() if we log the decision to create a new connexion at
module/ldap/ldap_util.c:512 , here's what the log looks like:
*** When the connexion count does not increase ***
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to /dav/user1/
failed, reason: require directives present and no Authoritative handler.
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to /dav/user2/
failed, reason: require directives present and no Authoritative handler.
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to /dav/user3/
failed, reason: require directives present and no Authoritative handler.
...
*** When it increases ****
[Wed Oct 04 15:48:27 2006] [error] LDAP: Can't reuse connection
(module/ldap/ldap_util.c:512)
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to /dav/ecalvo/
failed, reason: require directives present and no Authoritative handler.
[Wed Oct 04 15:48:27 2006] [error] LDAP: Can't reuse connection
(module/ldap/ldap_util.c:512)
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to
/dav/jbeaulieu/ failed, reason: require directives present and no Authoritative
handler.
[Wed Oct 04 15:48:27 2006] [error] LDAP: Can't reuse connection
(module/ldap/ldap_util.c:512)
[Wed Oct 04 15:48:27 2006] [error] [client 192.168.3.124] access to
/dav/jfpetri/ failed, reason: require directives present and no Authoritative
handler.
...
By the way we don't know how to avoid the "require directives present and no
Authoritative handler" error message.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40644] - mod_authnz_ldap or mod_ldap does not reuse ldap connexions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40644>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40644
------- Additional Comments From bnicholes@apache.org 2006-10-05 14:44 -------
(In reply to comment #9)
> If I replace the trylock by a lock , the connection count stop to increase.
The reason why it stops increasing is because you have effectly eliminated the
connection pool. By replacing the trylock with a lock, all threads will block
waiting for their turn to use the single ldap connection. No new connections
will ever be created. So rather than increasing performance by allowing
multiple connections in a multi-threaded environment. You would serialize
everthing on a single connection.
> Any better solution?
I am still not seeing a reuse problem in my testing so I am unable to
formulate a better solution to a problem that I am unable to identify. In my
testing I am seeing the connections being reused as they should. The idea
here is to satisfy a performance issue. Creating and destroying LDAP
connections is a lot of overhead. A connection pool is a way to eliminate the
overhead. If the ldap traffic requires 2 connection to addequately perform
the necessary operations, then the pool will contain 2 connections. If it
requires 200 connections, then the pool size will increase to 200.
> Is it possible to cache the binddn and bindpw information?
There isn't any need to cache the binddn and bindpw. The same dn and password
are used for all of the connections created for the associated AuthLDAPURL.
This is the binddn and bindpw that was specified through the AuthLDAPBindDN
and AuthLDAPBindPassword directives. If you are referring to the user names
and passwords that are passed in by the user for authentication, those are
already cached in an entirely different area of the code. But that is a
completely different issue that has nothing to do with the ldap connection
pool.
> When does the ldap connection pool cleanup occur?
Depends on what you are talking about. Bad connections or broken connections
are taken care of all of the time. If a bad connection is detected, it is
deleted and re-established, but the size of the pool remains the same.
Shrinking the size of the connection pool is never done. The only time that
the connection pool is cleaned up is at shutdown time. Many LDAP servers will
have a connection timeout set. For example openldap has the idletimeout
directive which will unbind an idle connection after a specified period of
time. In this case, mod_ldap would detect that the connection has been
forcibly closed and re-establish the connection the next time it is needed.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org