Bug 46749 - Ldap cache cleaning is broken when LDAPSharedCacheSize is too small
Summary: Ldap cache cleaning is broken when LDAPSharedCacheSize is too small
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ldap (show other bugs)
Version: 2.5-HEAD
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2009-02-21 03:12 UTC by Stefan Fritsch
Modified: 2010-04-11 07:39 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Fritsch 2009-02-21 03:12:19 UTC
util_ald_cache_purge() is only called when the max number of entries as defined by LDAPCacheEntries/ LDAPOpCacheEntries is reached. If LDAPSharedCacheSize is too small and the max number of entries is never reached, the ldap cache is never purged and the cache hit rate drops rapidly.

The comment "/* should be safe to add an entry */" in util_ldap_cache_mgr.c is simply wrong. At the very least, there should be a warning logged when memory allocation fails. Also, a cache purge should be triggered in this case. When the cache is filled less than the 3/4 watermark, it is not possible to do the normal purge. In this case it may make sense to just purge the whole cache. This will still yield a higher cache hit rate than leaving old entries in the cache indefinitely.

Maybe the LDAPCacheEntries/ LDAPOpCacheEntries could also be adjusted automatically, but this may be problematic as (AFAICS) all caches share the same shared memory segment.
Comment 1 Justin Johnson 2009-09-24 06:10:16 UTC
What version of httpd did this first show up in?  I have a Subversion server running httpd 2.2.11 and Subversion 1.6.4 that does authentication against Active Directory LDAP.  The cache settings are below.  As usage increases the cache hits drop to between 80-90% and when this happens sporadically the time for Subversion operations to complete can increase up to 100 fold.  In my testing I have isolated this to the use of LDAP authentication and am suspecting it is some sort of bug in the caching.  Could that possibly be related to this bug?

LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
Comment 2 Stefan Fritsch 2009-09-24 08:53:12 UTC
(In reply to comment #1)
I believe the bug was introduced when porting mod_auth_ldap from 1.3 to 2.0. At least 2.0.63 has the same problem.

> Could that possibly be related to this bug?

Yes. In my experience, LDAPSharedCacheSize 200000 is too small for LDAPCacheEntries 1024 (of course it depends on the particular mod_authnz_ldap configuration). Try increasing LDAPSharedCacheSize by a factor of 10 while leaving the other settings constant and see if that helps.
Comment 3 Justin Johnson 2009-09-24 09:28:28 UTC
Thank you for the quick reply!  I'm implementing your suggestions and will add another comment with the results, which will take an hour or so to see.
Comment 4 Justin Johnson 2009-09-24 12:47:04 UTC
That resolved it!  Woohoo!  Thanks for your help Stefan!
Comment 5 Stefan Fritsch 2009-10-06 12:41:34 UTC
Fixed in trunk in r822458
Comment 6 Stefan Fritsch 2010-04-11 07:39:17 UTC
This has been fixed in 2.2.15