Bug 61904 - Option to cache negative LDAP searches
Summary: Option to cache negative LDAP searches
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ldap (show other bugs)
Version: 2.4.29
Hardware: PC Linux
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-14 12:17 UTC by Markus Duft
Modified: 2017-12-20 14:34 UTC (History)
0 users



Attachments
Proposed patch (7.66 KB, patch)
2017-12-18 15:17 UTC, Markus Duft
Details | Diff
Updated proposed patch (7.71 KB, patch)
2017-12-20 14:34 UTC, Markus Duft
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Duft 2017-12-14 12:17:32 UTC
According to the documentation:

"The search/bind cache is used to cache all searches that resulted in successful binds. Negative results (i.e., unsuccessful searches, or searches that did not result in a successful bind) are not cached. The rationale behind this decision is that connections with invalid credentials are only a tiny percentage of the total number of connections, so by not caching invalid credentials, the size of the cache is reduced."

This is extremely bad for our use case. We configure multiple providers using AuthnProviderAlias for different LDAP servers. Now assume we have providers 'a', 'b', and 'c' in order. A user which is valid for provider 'c' authenticates. For every subsequent request, servers 'a' and 'b' are queried over and over again for the same user (which does not exist), and only the cache for the URL configured in provider 'c' will hit successfully.

In our scenario this causes severe performance issues. It would be great to have an option to switch on caching for negative hits - even at the cost of being much more memory intensive.
Comment 1 Markus Duft 2017-12-18 15:17:58 UTC
Created attachment 35618 [details]
Proposed patch

I've created a small patch for myself, which might be a good starting point for others :)
Comment 2 Markus Duft 2017-12-20 14:34:15 UTC
Created attachment 35624 [details]
Updated proposed patch

Updated the patch as it was causing segmentation faults in some scenarios...