util_ald_cache_purge() is only called when the max number of entries as defined by LDAPCacheEntries/ LDAPOpCacheEntries is reached. If LDAPSharedCacheSize is too small and the max number of entries is never reached, the ldap cache is never purged and the cache hit rate drops rapidly. The comment "/* should be safe to add an entry */" in util_ldap_cache_mgr.c is simply wrong. At the very least, there should be a warning logged when memory allocation fails. Also, a cache purge should be triggered in this case. When the cache is filled less than the 3/4 watermark, it is not possible to do the normal purge. In this case it may make sense to just purge the whole cache. This will still yield a higher cache hit rate than leaving old entries in the cache indefinitely. Maybe the LDAPCacheEntries/ LDAPOpCacheEntries could also be adjusted automatically, but this may be problematic as (AFAICS) all caches share the same shared memory segment.
What version of httpd did this first show up in? I have a Subversion server running httpd 2.2.11 and Subversion 1.6.4 that does authentication against Active Directory LDAP. The cache settings are below. As usage increases the cache hits drop to between 80-90% and when this happens sporadically the time for Subversion operations to complete can increase up to 100 fold. In my testing I have isolated this to the use of LDAP authentication and am suspecting it is some sort of bug in the caching. Could that possibly be related to this bug? LDAPSharedCacheSize 200000 LDAPCacheEntries 1024 LDAPCacheTTL 600 LDAPOpCacheEntries 1024 LDAPOpCacheTTL 600
(In reply to comment #1) I believe the bug was introduced when porting mod_auth_ldap from 1.3 to 2.0. At least 2.0.63 has the same problem. > Could that possibly be related to this bug? Yes. In my experience, LDAPSharedCacheSize 200000 is too small for LDAPCacheEntries 1024 (of course it depends on the particular mod_authnz_ldap configuration). Try increasing LDAPSharedCacheSize by a factor of 10 while leaving the other settings constant and see if that helps.
Thank you for the quick reply! I'm implementing your suggestions and will add another comment with the results, which will take an hour or so to see.
That resolved it! Woohoo! Thanks for your help Stefan!
Fixed in trunk in r822458
This has been fixed in 2.2.15