You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by wr...@donovandata.com on 2004/03/25 23:53:05 UTC
[users@httpd] Problems with LDAP Caching
I am having problems getting LDAP caching going. It does not work for me
on Apache 2.0.47 or 2.0.49 on a RedHat Linux 7.3 box, it does work on a
RHEL 2.1 box.
Even though the modules show as loaded in the server-info handler, the
cache always shows as "Cache has not been enabled/initialised." in the
ldap-status handler. And I see the same LDAP queries repeated over and
over every time a page is loaded, using tcpdump or Ethereal.
I am using the apxs that comes in the httpd tarball.
I have tried many version of ./configure, e.g.:
./configure --enable-layout=RedHat --with-ldap --enable-ldap
--enable-auth-ldap --enable-mods-shared=most
./configure --enable-layout=RedHat --with-ldap --enable-ldap=static
--enable-auth-ldap=static --enable-mods-shared=all
Other environmental stuff:
# rpm -qa openldap*
openldap-devel-2.0.27-2.7.3
openldap-clients-2.0.27-2.7.3
openldap-2.0.27-2.7.3
http://nms.donovandata.com/server-info#mod_auth_ldap.c
Module Name: mod_auth_ldap.c
Content handlers: none
Configuration Phase Participation: Create Directory Config
Request Phase Participation: Verify User ID, Verify User Access
Module Directives:
AuthLDAPURL - URL to define LDAP connection. This should be an RFC
2255 complaint URL of the form
ldap://host[:port]/basedn[?attrib[?scope[?filter]]].
Host is the name of the LDAP server. Use a space separated list
of hosts to specify redundant servers.
Port is optional, and specifies the port to connect to.
basedn specifies the base DN to start searches from
Attrib specifies what attribute to search for in the directory.
If not provided, it defaults to uid.
Scope is the scope of the search, and can be either sub or one.
If not provided, the default is sub.
Filter is a filter to use in the search. If not provided,
defaults to (objectClass=*).
Searches are performed using the attribute and the filter combined.
For example, assume that the LDAP URL is
ldap://ldap.airius.com/ou=People, o=Airius?uid?sub?(posixid=*).
Searches will be done using the filter (&((posixid=*))(uid=username))
, where username is the user name passed by the HTTP client. The
search will be a subtree search on the branch ou=People, o=Airius.
AuthLDAPBindDN - DN to use to bind to LDAP server. If not provided,
will do an anonymous bind.
AuthLDAPBindPassword - Password to use to bind to LDAP server. If not
provided, will do an anonymous bind.
AuthLDAPRemoteUserIsDN - Set to 'on' to set the REMOTE_USER
environment variable to be the full DN of the remote user. By
default, this is set to off, meaning that the REMOTE_USER variable
will contain whatever value the remote user sent.
AuthLDAPAuthoritative - Set to 'off' to allow access control to be
passed along to lower modules if the UserID and/or group is not known
to this module
AuthLDAPCompareDNOnServer - Set to 'on' to force auth_ldap to do DN
compares (for the "require dn" directive) using the server, and set
it 'off' to do the compares locally (at the expense of possible false
matches). See the documentation for a complete description of this
option.
AuthLDAPGroupAttribute - A list of attributes used to define group
membership - defaults to member and uniquemember
AuthLDAPGroupAttributeIsDN - If set to 'on', auth_ldap uses the DN
that is retrieved from the server forsubsequent group comparisons. If
set to 'off', auth_ldap uses the stringprovided by the client
directly. Defaults to 'on'.
AuthLDAPDereferenceAliases - Determines how aliases are handled
during a search. Can bo one of thevalues "never", "searching",
"finding", or "always". Defaults to always.
AuthLDAPEnabled - Set to off to disable auth_ldap, even if it's been
enabled in a higher tree
AuthLDAPFrontPageHack - Set to 'on' to support Microsoft FrontPage
AuthLDAPCharsetConfig - Character set conversion configuration file.
If omitted, character setconversion is disabled.
Current Configuration:
<Directory />
AuthLDAPEnabled on
AuthLDAPURL ldap://notes-ny03.ny.dds.net/?cn?sub
AuthLDAPAuthoritative on
AuthLDAPGroupAttribute member
</Directory>
<Directory /var/www/html/linux>
AuthLDAPEnabled on
AuthLDAPURL ldap://notes-ny03.ny.dds.net/?cn?sub
AuthLDAPAuthoritative on
</Directory>
<Location /server-status>
AuthLDAPEnabled off
</Location>
<Location /server-info>
AuthLDAPEnabled off
</Location>
Module Name: util_ldap.c
Content handlers: yes
Configuration Phase Participation: Create Server Config
Request Phase Participation: none
Module Directives:
LDAPSharedCacheSize - Sets the size of the shared memory cache in
bytes. Zero means disable the shared memory cache. Defaults to 100KB.
LDAPSharedCacheFile - Sets the file of the shared memory
cache.Nothing means disable the shared memory cache.
LDAPCacheEntries - Sets the maximum number of entries that are
possible in the LDAP search cache. Zero means no limit; -1 disables
the cache. Defaults to 1024 entries.
LDAPCacheTTL - Sets the maximum time (in seconds) that an item can be
cached in the LDAP search cache. Zero means no limit. Defaults to 600
seconds (10 minutes).
LDAPOpCacheEntries - Sets the maximum number of entries that are
possible in the LDAP compare cache. Zero means no limit; -1 disables
the cache. Defaults to 1024 entries.
LDAPOpCacheTTL - Sets the maximum time (in seconds) that an item is
cached in the LDAP operation cache. Zero means no limit. Defaults to
600 seconds (10 minutes).
LDAPTrustedCA - Sets the file containing the trusted Certificate
Authority certificate. Used to validate the LDAP server certificate
for SSL connections.
LDAPTrustedCAType - Specifies the type of the Certificate Authority
file. The following types are supported: DER_FILE - file in binary
DER format BASE64_FILE - file in Base64 format CERT7_DB_PATH -
Netscape certificate database file
Current Configuration:
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
Wrolf Courtney
Donovan Data Systems, Inc.
(212) 633-5470
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org