You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Philipp Gühring <pg...@futureware.at> on 2012/02/29 12:31:36 UTC

Subversion-LDAP problems

Hi,

I am having a problem with Subversion+LDAP:
I have a repository with approximately a million files.
The subversion client sends every file a HTTP request to the Apache server.
I am using LDAP authentication for Apache+Subversion.
mod_ldap caches some searches, but it still does one LDAP request per HTTP
request to authenticate the user.
The LDAP server I am using does not allow too many requests in a short
timeframe, 
and returns "Administrative Limit Exceeded" LDAP errors when receiving too
many requests.
Apache mod_ldap treats Administrative Limit Exceeded errors as errors,
does not retry, and deliver a 500 Internal Server Error to the svn client.
The svn client treats a 500 Internal Server Error as an error, and
rolls-back the whole action (commit).
Practically, it´s impossible with this setup to commit a larger amount of
files at once, the commit never works.

I already asked the LDAP server admins to change from returning 500 to
making a delay and returning a valid LDAP response instead.
I already asked Apache mod_ldap to improve caching the authentication
responses.

Now my suggestion for Subversion client is to add functionality be able to
automatically retry (after a few seconds and only a few times) a request
in case it received a 500 HTTP error.
It would be good if it is possible to set options for how often to retry,
and/or how often to wait.

For the subversion server / apache (I don´t know exactly which module does
what in this code-path), I think it is perhaps an idea to map the LDAP
"Administrative Limit exceeded" to a temporary error, which can be better
detected by a client and be retried by the client.

Best regards,
Philipp Gühring

Re: Subversion-LDAP problems

Posted by Daniel Shahaf <da...@elego.de>.

Philipp Gühring wrote on Wed, Feb 29, 2012 at 12:31:36 +0100:
> Hi,
> 
> I am having a problem with Subversion+LDAP:
> I have a repository with approximately a million files.
> The subversion client sends every file a HTTP request to the Apache server.

What kind of requests?  GETs or PUTs?

Are you using ra_serf?  Try switching to ra_neon.  (See 'svn --version'.)

> Now my suggestion for Subversion client is to add functionality be able to
> automatically retry (after a few seconds and only a few times) a request
> in case it received a 500 HTTP error.
> It would be good if it is possible to set options for how often to retry,
> and/or how often to wait.
> 
> For the subversion server / apache (I don´t know exactly which module does
> what in this code-path), I think it is perhaps an idea to map the LDAP
> "Administrative Limit exceeded" to a temporary error, which can be better
> detected by a client and be retried by the client.
> 

Subversion does not directly interface with LDAP.  Either httpd handles
everything itself, or it exposes to us a non-LDAP-specific authnz API.

> Best regards,
> Philipp Gühring
> 

HTH.  I'm not an httpd expert, though, so others here (or perhaps on
users@httpd) may have better ideas.