Project

General

Profile

Feature #2805

mod_auth caching

Added by tteras 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2017-04-10
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

I have been experimenting with lighttpd mod_authn_ldap how it handles caching and failure scenarios.

It seems that currently nothing is cached, but a TCP connect() is done for each HTTP request. Is there plans to add some caching of authentication results?

Additionally, it seems the code is using libldap in the synchronous or blocking mode, and no timeouts are set for the API calls. If using LDAP hostname that resolves to multiple IP-addresses the library properly attempts to connect them in order until a working host is found. However, this may mean the connect() syscall blocks for several seconds in case the first ldap hosts are not responding. Ideally, the code should use the asynchronous non-block APIs, but at least as minimum set timeouts for network and the API calls to not totally block.

History

#1 Updated by gstrauss 6 months ago

  • Tracker changed from Bug to Feature
  • Subject changed from mod_authn_ldap scalability to mod_authn_* caching

A caching layer is planned, but not yet implemented. If you looked at the code, you might have noted that the mod_authn_* modules are written such that a single, shared caching layer can be implemented (and, potentially, an optional per-module cache if deemed necessary). This will be configurable since lighttpd is also used on small-memory systems where excess memory usage might need to be avoided.

As for the module being synchronous, yes, that is a known limitation and documented in the code. However, there are no current plans to reimplement as an asynchronous. A cache will alleviate some of this pressure. Timeouts will be considered, or potentially handled in worker threads. Still, nothing is planned at the moment besides a caching layer.

#2 Updated by gstrauss 6 months ago

  • Subject changed from mod_authn_* caching to mod_auth caching

#3 Updated by tteras 6 months ago

How about making LDAP_OPT_TIMEOUT (and potentially LDAP_OPT_NETWORK_TIMEOUT) options via ldap_set_option() be configurable with a sane default. The libldap default is indefinite, and can cause mod-authn-ldap to block lighttpd for several tens of seconds when the remote host becomes unresponsive.

#4 Updated by gstrauss 6 months ago

Worth considering. Patches welcome and will be reviewed.

#5 Updated by gstrauss 6 months ago

FYI: http://openldap-technical.openldap.narkive.com/yjqvvd9a/ldapbind-timeout-can-t-work

According to the above, LDAP_OPT_TIMEOUT was not honored until OpenLDAP 2.4. Still, will consider use where available.

Also available in: Atom