|Summary:||Option to cache negative LDAP searches|
|Product:||Apache httpd-2||Reporter:||Markus Duft <markus.duft>|
|Component:||mod_ldap||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Updated proposed patch
Description Markus Duft 2017-12-14 12:17:32 UTC
According to the documentation: "The search/bind cache is used to cache all searches that resulted in successful binds. Negative results (i.e., unsuccessful searches, or searches that did not result in a successful bind) are not cached. The rationale behind this decision is that connections with invalid credentials are only a tiny percentage of the total number of connections, so by not caching invalid credentials, the size of the cache is reduced." This is extremely bad for our use case. We configure multiple providers using AuthnProviderAlias for different LDAP servers. Now assume we have providers 'a', 'b', and 'c' in order. A user which is valid for provider 'c' authenticates. For every subsequent request, servers 'a' and 'b' are queried over and over again for the same user (which does not exist), and only the cache for the URL configured in provider 'c' will hit successfully. In our scenario this causes severe performance issues. It would be great to have an option to switch on caching for negative hits - even at the cost of being much more memory intensive.
Comment 1 Markus Duft 2017-12-18 15:17:58 UTC
Created attachment 35618 [details] Proposed patch I've created a small patch for myself, which might be a good starting point for others :)