[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 61904] New: Option to cache negative LDAP searches


            Bug ID: 61904
           Summary: Option to cache negative LDAP searches
           Product: Apache httpd-2
           Version: 2.4.29
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ldap
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: markus.duft@xxxxxxxxxxxxxxxx
  Target Milestone: ---

According to the documentation:

"The search/bind cache is used to cache all searches that resulted in
successful binds. Negative results (i.e., unsuccessful searches, or searches
that did not result in a successful bind) are not cached. The rationale behind
this decision is that connections with invalid credentials are only a tiny
percentage of the total number of connections, so by not caching invalid
credentials, the size of the cache is reduced."

This is extremely bad for our use case. We configure multiple providers using
AuthnProviderAlias for different LDAP servers. Now assume we have providers
'a', 'b', and 'c' in order. A user which is valid for provider 'c'
authenticates. For every subsequent request, servers 'a' and 'b' are queried
over and over again for the same user (which does not exist), and only the
cache for the URL configured in provider 'c' will hit successfully.

In our scenario this causes severe performance issues. It would be great to
have an option to switch on caching for negative hits - even at the cost of
being much more memory intensive.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx