Apache Module mod_ldap

Description: - LDAP connection pooling and result caching -services for use by other LDAP modules

Status: + LDAP connection pooling and result caching services for use +by other LDAP modules

Status: Experimental

Module Identifier: ldap_module

Source File: util_ldap.c

Compatibility: @@ -28,33 +28,36 @@ services for use by other LDAP modules

LDAPOpCacheTTL

LDAPSharedCacheSize

Example Configuration

- -

The following is an example configuration that uses -mod_ldap to increase the performance of HTTP Basic -authentication provided by mod_auth_ldap.

- -

-# Enable the LDAP connection pool and shared memory cache. Enable the
-# LDAP cache status handler. Requires that mod_ldap and mod_auth_ldap
-# be loaded. Change the "yourdomain.example.com" to match your domain.
-
-    LDAPSharedCacheSize 200000
-    LDAPCacheEntries 1024
-    LDAPCacheTTL 600
-    LDAPOpCacheEntries 1024
-    LDAPOpCacheTTL 600
-
-    <Location /ldap-status>
-        SetHandler ldap-status
-        Order deny,allow
-        Deny from all
-        Allow from yourdomain.example.com
-        AuthLDAPEnabled on
-        AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
-        AuthLDAPAuthoritative on
-        require valid-user
-    </Location>
-

The following is an example configuration that uses + mod_ldap to increase the performance of HTTP Basic + authentication provided by mod_auth_ldap.

+ +

+ # Enable the LDAP connection pool and shared + # memory cache. Enable the LDAP cache status + # handler. Requires that mod_ldap and mod_auth_ldap + # be loaded. Change the "yourdomain.example.com" to + # match your domain. + + LDAPSharedCacheSize 200000 + LDAPCacheEntries 1024 + LDAPCacheTTL 600 + LDAPOpCacheEntries 1024 + LDAPOpCacheTTL 600 + + <Location /ldap-status> + + SetHandler ldap-status + Order deny,allow + Deny from all + Allow from yourdomain.example.com + AuthLDAPEnabled on + AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one + AuthLDAPAuthoritative on + require valid-user + + </Location> +

LDAP Connection Pool

LDAP connections are pooled from request to request. This @@ -81,77 +84,76 @@ authentication provided by mod_ldap supports two types of LDAP caching during the - search/bind phase with a search/bind cache and +

mod_ldap supports two types of LDAP caching during + the search/bind phase with a search/bind cache and during the compare phase with two operation caches. Each LDAP URL that is used by the server has its own set of these three caches.

The Search/Bind Cache

- -

The process of doing a search and then a bind is the - most time-consuming aspect of LDAP operation, especially if - the directory is large. The search/bind cache is used to - cache all searches that resulted in successful binds. - Negative results (i.e., unsuccessful searches, or searches - that did not result in a successful bind) are not cached. - The rationale behind this decision is that connections with - invalid credentials are only a tiny percentage of the total - number of connections, so by not caching invalid - credentials, the size of the cache is reduced.

- -

mod_ldap stores the username, the DN - retrieved, the password used to bind, and the time of the bind - in the cache. Whenever a new connection is initiated with the - same username, mod_ldap compares the password - of the new connection with the password in the cache. If the - passwords match, and if the cached entry is not too old, - mod_ldap bypasses the search/bind phase.

- -

The search and bind cache is controlled with the LDAPCacheEntries and LDAPCacheTTL directives.

- - -

Operation Caches

- -

During attribute and distinguished name comparison - functions, mod_ldap uses two operation caches - to cache the compare operations. The first compare cache is - used to cache the results of compares done to test for LDAP - group membership. The second compare cache is used to cache - the results of comparisons done between distinguished - names.

- -

The behavior of both of these caches is controlled with - the LDAPOpCacheEntries - and LDAPOpCacheTTL - directives.

- - -

Monitoring the Cache

- -

mod_ldap has a content handler that allows - administrators to monitor the cache performance. The name of - the content handler is ldap-status, so the - following directives could be used to access the - mod_ldap cache information:

-<Location /server/cache-info >
- SetHandler ldap-status
-</Location>
-

- -

By fetching the URL - http://servername/cache-info, the administrator - can get a status report of every cache that is used by - mod_ldap cache. Note that if Apache does not - support shared memory, then each httpd instance has its - own cache, so reloading the URL will result in different - information each time, depending on which httpd - instance processes the request.

- +

The Search/Bind Cache

The process of doing a search and then a bind is the + most time-consuming aspect of LDAP operation, especially if + the directory is large. The search/bind cache is used to + cache all searches that resulted in successful binds. + Negative results (i.e., unsuccessful searches, or searches + that did not result in a successful bind) are not cached. + The rationale behind this decision is that connections with + invalid credentials are only a tiny percentage of the total + number of connections, so by not caching invalid + credentials, the size of the cache is reduced.

+ +

mod_ldap stores the username, the DN + retrieved, the password used to bind, and the time of the bind + in the cache. Whenever a new connection is initiated with the + same username, mod_ldap compares the password + of the new connection with the password in the cache. If the + passwords match, and if the cached entry is not too old, + mod_ldap bypasses the search/bind phase.

+ +

The search and bind cache is controlled with the LDAPCacheEntries and LDAPCacheTTL directives.

+ + +

Operation Caches

During attribute and distinguished name comparison + functions, mod_ldap uses two operation caches + to cache the compare operations. The first compare cache is + used to cache the results of compares done to test for LDAP + group membership. The second compare cache is used to cache + the results of comparisons done between distinguished + names.

+ +

The behavior of both of these caches is controlled with + the LDAPOpCacheEntries + and LDAPOpCacheTTL + directives.

+ + +

Monitoring the Cache

mod_ldap has a content handler that allows + administrators to monitor the cache performance. The name of + the content handler is ldap-status, so the + following directives could be used to access the + mod_ldap cache information:

+ +

+ <Location /server/cache-info> + + SetHandler ldap-status + + </Location> +

+ +

By fetching the URL http://servername/cache-info, + the administrator can get a status report of every cache that is used + by mod_ldap cache. Note that if Apache does not + support shared memory, then each httpd instance has its + own cache, so reloading the URL will result in different + information each time, depending on which httpd + instance processes the request.

LDAPCacheEntries Directive

Description: Maximum number of entires in the primary LDAP cache

Syntax: - LDAPCacheEntries number

Default: + LDAPCacheEntries number

Default: LDAPCacheEntries 1024

Context: server config

Status: Experimental

Module: @@ -162,7 +164,7 @@ authentication provided by

LDAPCacheTTL Directive
Description: 
               Time that cached items remain valid
Syntax:
-              LDAPCacheTTL seconds
Default: 
+              LDAPCacheTTL seconds
Default: 
               LDAPCacheTTL 600
Context:
               server config
Status:
               Experimental
Module:
@@ -172,7 +174,7 @@ authentication provided by LDAPCertDBPath Directive
Description: 
               Directory containing certificates for SSL support
Syntax:
-              LDAPCertDBPath directory-path
Context:
+              LDAPCertDBPath directory-path
Context:
               server config
Status:
               Experimental
Module:
               mod_ldap
@@ -186,7 +188,7 @@ authentication provided by 
LDAPOpCacheEntries Directive
Description: 
               Number of entries used to cache LDAP compare 
 operations
Syntax:
-              LDAPOpCacheEntries number
Default: 
+              LDAPOpCacheEntries number
Default: 
               LDAPOpCacheEntries 1024
Context:
               server config
Status:
               Experimental
Module:
@@ -195,9 +197,9 @@ operations
Syntax:
     will use to cache LDAP compare operations. The default is 1024
     entries.  Setting it to 0 disables operation caching.
 
LDAPOpCacheTTL Directive
Description: 
-              Time that entries in the operation cache remain 
+              Time that entries in the operation cache remain
 valid
Syntax:
-              LDAPOpCacheTTL seconds
Default: 
+              LDAPOpCacheTTL seconds
Default: 
               LDAPOpCacheTTL 600
Context:
               server config
Status:
               Experimental
Module:
@@ -206,7 +208,7 @@ valid
Syntax:
     operation cache remain valid. The default is 600 seconds.
 
LDAPSharedCacheSize Directive
 requests on a persistent connection
-
-
-
-
+
+
+
-
-
+Description: 
               Size in bytes of the shared-memory cache
Syntax:
-              LDAPSharedCacheSize bytes
Default: 
+              LDAPSharedCacheSize bytes
Default: 
               LDAPSharedCacheSize 102400
Context:
               server config
Status:
               Experimental
Module:
diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml
index 94568f4fe6..3418617f5f 100644
--- a/docs/manual/mod/mod_ldap.xml
+++ b/docs/manual/mod/mod_ldap.xml
@@ -4,8 +4,8 @@
 
 
 mod_ldap
-LDAP connection pooling and result caching
-services for use by other LDAP modules
+LDAP connection pooling and result caching services for use
+by other LDAP modules
 Experimental
 util_ldap.c
 ldap_module
@@ -25,34 +25,36 @@ services for use by other LDAP modules
 
 
 Example Configuration
-
-The following is an example configuration that uses
-mod_ldap to increase the performance of HTTP Basic
-authentication provided by mod_auth_ldap.
-
-
--# Enable the LDAP connection pool and shared memory cache. Enable the
-# LDAP cache status handler. Requires that mod_ldap and mod_auth_ldap
-# be loaded. Change the "yourdomain.example.com" to match your domain.
-
-    LDAPSharedCacheSize 200000
-    LDAPCacheEntries 1024
-    LDAPCacheTTL 600
-    LDAPOpCacheEntries 1024
-    LDAPOpCacheTTL 600
-
-    <Location /ldap-status>
-        SetHandler ldap-status
-        Order deny,allow
-        Deny from all
-        Allow from yourdomain.example.com
-        AuthLDAPEnabled on
-        AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one
-        AuthLDAPAuthoritative on
-        require valid-user
-    </Location>
-
+    The following is an example configuration that uses
+    mod_ldap to increase the performance of HTTP Basic
+    authentication provided by mod_auth_ldap.
+
+    
+      # Enable the LDAP connection pool and shared

+      # memory cache. Enable the LDAP cache status

+      # handler. Requires that mod_ldap and mod_auth_ldap

+      # be loaded. Change the "yourdomain.example.com" to

+      # match your domain.

+      

+      LDAPSharedCacheSize 200000

+      LDAPCacheEntries 1024

+      LDAPCacheTTL 600

+      LDAPOpCacheEntries 1024

+      LDAPOpCacheTTL 600

+      

+      <Location /ldap-status>

+      
+        SetHandler ldap-status

+        Order deny,allow

+        Deny from all

+        Allow from yourdomain.example.com

+        AuthLDAPEnabled on

+        AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one

+        AuthLDAPAuthoritative on

+        require valid-user

+      
+      </Location>
+    
 
 
 LDAP Connection Pool
@@ -83,82 +85,81 @@ authentication provided by mod_auth_ldap.
     with mod_auth_ldap. In addition, the load on the LDAP server
     will be significantly decreased.
 
-    mod_ldap supports two types of LDAP caching during the
-    search/bind phase with a search/bind cache and
+    
mod_ldap supports two types of LDAP caching during
+    the search/bind phase with a search/bind cache and
     during the compare phase with two operation
     caches. Each LDAP URL that is used by the server has
     its own set of these three caches.
 
-The Search/Bind Cache
-
-        The process of doing a search and then a bind is the
-        most time-consuming aspect of LDAP operation, especially if
-        the directory is large. The search/bind cache is used to
-        cache all searches that resulted in successful binds.
-        Negative results (i.e., unsuccessful searches, or searches
-        that did not result in a successful bind) are not cached.
-        The rationale behind this decision is that connections with
-        invalid credentials are only a tiny percentage of the total
-        number of connections, so by not caching invalid
-        credentials, the size of the cache is reduced.
-
-        mod_ldap stores the username, the DN
-        retrieved, the password used to bind, and the time of the bind
-        in the cache. Whenever a new connection is initiated with the
-        same username, mod_ldap compares the password
-        of the new connection with the password in the cache. If the
-        passwords match, and if the cached entry is not too old,
-        mod_ldap bypasses the search/bind phase.
-
-        The search and bind cache is controlled with the LDAPCacheEntries and LDAPCacheTTL directives.
-
-
-Operation Caches
-
-        During attribute and distinguished name comparison
-        functions, mod_ldap uses two operation caches
-        to cache the compare operations. The first compare cache is
-        used to cache the results of compares done to test for LDAP
-        group membership. The second compare cache is used to cache
-        the results of comparisons done between distinguished
-        names.
-
-        The behavior of both of these caches is controlled with
-        the LDAPOpCacheEntries
-        and LDAPOpCacheTTL
-        directives.
-
-
-Monitoring the Cache
-
-        mod_ldap has a content handler that allows
-        administrators to monitor the cache performance. The name of
-        the content handler is ldap-status, so the
-        following directives could be used to access the
-        mod_ldap cache information:
--<Location /server/cache-info >
- SetHandler ldap-status
-</Location>
-
-
-        By fetching the URL
-        http://servername/cache-info, the administrator
-        can get a status report of every cache that is used by
-        mod_ldap cache. Note that if Apache does not
-        support shared memory, then each httpd instance has its
-        own cache, so reloading the URL will result in different
-        information each time, depending on which httpd
-        instance processes the request.
-
+    The Search/Bind Cache
+      The process of doing a search and then a bind is the
+      most time-consuming aspect of LDAP operation, especially if
+      the directory is large. The search/bind cache is used to
+      cache all searches that resulted in successful binds.
+      Negative results (i.e., unsuccessful searches, or searches
+      that did not result in a successful bind) are not cached.
+      The rationale behind this decision is that connections with
+      invalid credentials are only a tiny percentage of the total
+      number of connections, so by not caching invalid
+      credentials, the size of the cache is reduced.
+
+      mod_ldap stores the username, the DN
+      retrieved, the password used to bind, and the time of the bind
+      in the cache. Whenever a new connection is initiated with the
+      same username, mod_ldap compares the password
+      of the new connection with the password in the cache. If the
+      passwords match, and if the cached entry is not too old,
+      mod_ldap bypasses the search/bind phase.
+
+      The search and bind cache is controlled with the LDAPCacheEntries and LDAPCacheTTL directives.
+    
+
+    Operation Caches
+      During attribute and distinguished name comparison
+      functions, mod_ldap uses two operation caches
+      to cache the compare operations. The first compare cache is
+      used to cache the results of compares done to test for LDAP
+      group membership. The second compare cache is used to cache
+      the results of comparisons done between distinguished
+      names.
+
+      The behavior of both of these caches is controlled with
+      the LDAPOpCacheEntries
+      and LDAPOpCacheTTL
+      directives.
+    
+
+    Monitoring the Cache
+      mod_ldap has a content handler that allows
+      administrators to monitor the cache performance. The name of
+      the content handler is ldap-status, so the
+      following directives could be used to access the
+      mod_ldap cache information:
+
+      
+        <Location /server/cache-info>

+        
+          SetHandler ldap-status

+        
+        </Location>
+      
+
+      By fetching the URL http://servername/cache-info,
+      the administrator can get a status report of every cache that is used
+      by mod_ldap cache. Note that if Apache does not
+      support shared memory, then each httpd instance has its
+      own cache, so reloading the URL will result in different
+      information each time, depending on which httpd
+      instance processes the request.
+    
 
 
 
 LDAPSharedCacheSize
 Size in bytes of the shared-memory cache
-LDAPSharedCacheSize bytes
+LDAPSharedCacheSize bytes
 LDAPSharedCacheSize 102400
 server config
 
@@ -171,7 +172,7 @@ authentication provided by mod_auth_ldap.
 
 LDAPCacheEntries
 Maximum number of entires in the primary LDAP cache
-LDAPCacheEntries number
+LDAPCacheEntries number
 LDAPCacheEntries 1024
 server config
 
@@ -186,7 +187,7 @@ authentication provided by mod_auth_ldap.
 
 LDAPCacheTTL
 Time that cached items remain valid
-LDAPCacheTTL seconds
+LDAPCacheTTL seconds
 LDAPCacheTTL 600
 server config
 
@@ -201,7 +202,7 @@ authentication provided by mod_auth_ldap.
 LDAPOpCacheEntries
 Number of entries used to cache LDAP compare 
 operations
-LDAPOpCacheEntries number
+LDAPOpCacheEntries number
 LDAPOpCacheEntries 1024
 server config
 
@@ -214,9 +215,9 @@ operations
 
 
 LDAPOpCacheTTL
-Time that entries in the operation cache remain 
+Time that entries in the operation cache remain
 valid
-LDAPOpCacheTTL seconds
+LDAPOpCacheTTL seconds
 LDAPOpCacheTTL 600
 server config
 
@@ -229,7 +230,7 @@ valid
 
 LDAPCertDBPath
 Directory containing certificates for SSL support
-LDAPCertDBPath directory-path
+LDAPCertDBPath directory-path
 server config
 
 
diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en
index 7f9b3329fb..72cc60bd09 100644
--- a/docs/manual/mod/quickreference.html.en
+++ b/docs/manual/mod/quickreference.html.en
@@ -333,14 +333,14 @@ extensions
 LanguagePriority MIME-lang [MIME-lang] ... svdh B
The precendence of language variants for cases where
 the client does not express a preference
LDAPCacheEntries number  1024 s X
Maximum number of entires in the primary LDAP cache
LDAPCacheTTL seconds  600 s X
Time that cached items remain valid
LDAPCertDBPath directory-path s X
Directory containing certificates for SSL support
LDAPOpCacheEntries number  1024 s X
Number of entries used to cache LDAP compare 
+
LDAPCacheEntries number  1024 s X
Maximum number of entires in the primary LDAP cache
LDAPCacheTTL seconds  600 s X
Time that cached items remain valid
LDAPCertDBPath directory-path s X
Directory containing certificates for SSL support
LDAPOpCacheEntries number  1024 s X
Number of entries used to cache LDAP compare 
 operations
LDAPOpCacheTTL seconds  600 s X
Time that entries in the operation cache remain 
+
LDAPOpCacheTTL seconds  600 s X
Time that entries in the operation cache remain
 valid
LDAPSharedCacheSize bytes  102400 s X
Size in bytes of the shared-memory cache
LDAPSharedCacheSize bytes  102400 s X
Size in bytes of the shared-memory cache
 <Limit method [method] ... > ...
     </Limit> svdh C
Restrict enclosed access controls to only certain HTTP
 methods