httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45834] New: Stale LDAP connections take 15+ minutes to finish queries
Date Thu, 18 Sep 2008 16:03:06 GMT

           Summary: Stale LDAP connections take 15+ minutes to finish
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ldap

I am running a RedHat 5 server to serve SVN and I am using mod_authnz_ldap for
user authentication.  The server is configured correctly, I know this because
shortly after a restart the authentications occur within a reasonable amount of
time.  However, I have noticed that after long periods of inactivity (say over
night) the authentication process will take approximately 15 minutes to
complete.  During the time it is attempting to run the query I see through
netstat that a connection was established and there is something in the
transmit queue but for some reason it doesn't complete for 15+ minutes.  The
interesting thing is that it does seem to complete.  However, I'm not sure if
it is because it gives up and tries again or if that connection completes.  The
log files in debug mode so very little information, basically only the request
and then some time later the user was authenticated.  Through my debugging I
have noticed that the ldap module does not close the connection to the ldap
server even after long periods of no requests.  Our internal network is complex
and there is a firewall sitting between our server and the LDAP server. However
the latency is relatively low (less then 85ms) and the load on the LDAP server
is minimal.  I'm assuming it is intentional the connections don't close but it
may be contributing to the issue.

I have tried this on apache 2.2.3 that comes with Redhat and I have compiled
apache 2.2.9 and both show the same behavior.  I have included the netstat info
and my configuration below.  I am using the defaults configurations for just
about everything else.

Is there a way to disable the mod_ldap connection pooling?  I see that each
idld/spare httpd process opens and maintains a connection.
Is there a way to have mod_ldap disconnect after some period of time?  I have
no insight into the firewall, it is possible it does not like the persistent
connection and is playing a factor.  Ideally I would think if there was no
activity for 15 minutes or so you could disconnect.

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address            Foreign Address State      
tcp        0    138    ldap.x.x:ldaps ESTABLISHED 

SVN and LDAP configurations files:

LDAPCacheEntries 0
LDAPCacheTTL 600
LDAPConnectionTimeout 10
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPSharedCacheSize 10240       
LDAPTrustedMode SSL
LDAPVerifyServerCert Off

<Location /svn>
        DAV svn

        # Subversion Paths
        SVNParentPath <PATH TO REPOS>
        SVNListParentPath on
        AuthzSVNAccessFile <PATH TO SVN AUTH FILE>

        # Access control policy
        AuthBasicProvider ldap file
        AuthzLDAPAuthoritative Off
        AuthType Basic
        AuthName "Repositories"
        AuthLDAPBindDN XXXXXX
        AuthLDAPBindPassword XXXXXX
        AuthUserFile <PATH TO WWW AUTH FILE>
        Require valid-user

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message