Feature #2805
closedmod_auth caching
Description
I have been experimenting with lighttpd mod_authn_ldap how it handles caching and failure scenarios.
It seems that currently nothing is cached, but a TCP connect() is done for each HTTP request. Is there plans to add some caching of authentication results?
Additionally, it seems the code is using libldap in the synchronous or blocking mode, and no timeouts are set for the API calls. If using LDAP hostname that resolves to multiple IP-addresses the library properly attempts to connect them in order until a working host is found. However, this may mean the connect() syscall blocks for several seconds in case the first ldap hosts are not responding. Ideally, the code should use the asynchronous non-block APIs, but at least as minimum set timeouts for network and the API calls to not totally block.
Added by gstrauss almost 5 years ago
Added by gstrauss almost 5 years ago
[mod_authn_ldap,mod_vhostdb_ldap] add timeout opt (#2805)
auth.backend.ldap.timeout = "2000000" # quoted-string; microseconds
vhostdb.ldap += ("timeout" => "2000000") # quoted-string; microseconds
Default is 2000000 microseconds (2 secs)
These values are converted to struct timeval and passed to
ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, );
ldap_set_option(ld, LDAP_OPT_TIMEOUT, ...);
if those LDAP_OPT_* values are available (both are OpenLDAP-specific).
x-ref:
"mod_auth caching"
https://redmine.lighttpd.net/issues/2805
Also available in: Atom
[mod_auth,mod_vhostdb] add caching option (fixes #2805)
auth.cache = ("max-age" => "600")
vhostdb.cache = ("max-age" => "600")
If specified with an empty array, default max-age is 600 secs (10 mins)
auth.cache = ()
vhostdb.cache = ()
(Note: cache expiration occurs every 8 seconds, so maximum cache time
might be up to max-age + 8 seconds)
x-ref:
"mod_auth caching"
https://redmine.lighttpd.net/issues/2805