| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <!-- $LastChangedRevision$ --> |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <modulesynopsis metafile="mod_ldap.xml.meta"> |
| |
| <name>mod_ldap</name> |
| <description>LDAP connection pooling and result caching services for use |
| by other LDAP modules</description> |
| <status>Experimental</status> |
| <sourcefile>util_ldap.c</sourcefile> |
| <identifier>ldap_module</identifier> |
| <compatibility>Available in version 2.0.41 and later</compatibility> |
| |
| <summary> |
| <p>This module was created to improve the performance of |
| websites relying on backend connections to LDAP servers. In |
| addition to the functions provided by the standard LDAP |
| libraries, this module adds an LDAP connection pool and an LDAP |
| shared memory cache.</p> |
| |
| <p>To enable this module, LDAP support must be compiled into |
| apr-util. This is achieved by adding the <code>--with-ldap</code> |
| flag to the <program>configure</program> script when building |
| Apache.</p> |
| |
| <p>SSL support requires that <module>mod_ldap</module> be linked |
| with one of the following LDAP SDKs: <a href="http://www.openldap.org/"> |
| OpenLDAP SDK</a> (both 1.x and 2.x), <a href="http://developer.novell.com/ndk/cldap.htm"> |
| Novell LDAP SDK</a> or the <a href="http://www.iplanet.com/downloads/developer/"> |
| iPlanet(Netscape)</a> SDK.</p> |
| |
| </summary> |
| |
| <section id="exampleconfig"><title>Example Configuration</title> |
| <p>The following is an example configuration that uses |
| <module>mod_ldap</module> to increase the performance of HTTP Basic |
| authentication provided by <module>mod_auth_ldap</module>.</p> |
| |
| <example> |
| # Enable the LDAP connection pool and shared<br /> |
| # memory cache. Enable the LDAP cache status<br /> |
| # handler. Requires that mod_ldap and mod_auth_ldap<br /> |
| # be loaded. Change the "yourdomain.example.com" to<br /> |
| # match your domain.<br /> |
| <br /> |
| LDAPSharedCacheSize 200000<br /> |
| LDAPCacheEntries 1024<br /> |
| LDAPCacheTTL 600<br /> |
| LDAPOpCacheEntries 1024<br /> |
| LDAPOpCacheTTL 600<br /> |
| <br /> |
| <Location /ldap-status><br /> |
| <indent> |
| SetHandler ldap-status<br /> |
| Order deny,allow<br /> |
| Deny from all<br /> |
| Allow from yourdomain.example.com<br /> |
| AuthLDAPEnabled on<br /> |
| AuthLDAPURL ldap://127.0.0.1/dc=example,dc=com?uid?one<br /> |
| AuthLDAPAuthoritative on<br /> |
| Require valid-user<br /> |
| </indent> |
| </Location> |
| </example> |
| </section> |
| |
| <section id="pool"><title>LDAP Connection Pool</title> |
| |
| <p>LDAP connections are pooled from request to request. This |
| allows the LDAP server to remain connected and bound ready for |
| the next request, without the need to unbind/connect/rebind. |
| The performance advantages are similar to the effect of HTTP |
| keepalives.</p> |
| |
| <p>On a busy server it is possible that many requests will try |
| and access the same LDAP server connection simultaneously. |
| Where an LDAP connection is in use, Apache will create a new |
| connection alongside the original one. This ensures that the |
| connection pool does not become a bottleneck.</p> |
| |
| <p>There is no need to manually enable connection pooling in |
| the Apache configuration. Any module using this module for |
| access to LDAP services will share the connection pool.</p> |
| </section> |
| |
| <section id="cache"><title>LDAP Cache</title> |
| |
| <p>For improved performance, <module>mod_ldap</module> uses an aggressive |
| caching strategy to minimize the number of times that the LDAP |
| server must be contacted. Caching can easily double or triple |
| the throughput of Apache when it is serving pages protected |
| with mod_auth_ldap. In addition, the load on the LDAP server |
| will be significantly decreased.</p> |
| |
| <p><module>mod_ldap</module> supports two types of LDAP caching during |
| the search/bind phase with a <em>search/bind cache</em> and |
| during the compare phase with two <em>operation |
| caches</em>. Each LDAP URL that is used by the server has |
| its own set of these three caches.</p> |
| |
| <section id="search-bind"><title>The Search/Bind Cache</title> |
| <p>The process of doing a search and then a bind is the |
| most time-consuming aspect of LDAP operation, especially if |
| the directory is large. The search/bind cache is used to |
| cache all searches that resulted in successful binds. |
| Negative results (<em>i.e.</em>, unsuccessful searches, or searches |
| that did not result in a successful bind) are not cached. |
| The rationale behind this decision is that connections with |
| invalid credentials are only a tiny percentage of the total |
| number of connections, so by not caching invalid |
| credentials, the size of the cache is reduced.</p> |
| |
| <p><module>mod_ldap</module> stores the username, the DN |
| retrieved, the password used to bind, and the time of the bind |
| in the cache. Whenever a new connection is initiated with the |
| same username, <module>mod_ldap</module> compares the password |
| of the new connection with the password in the cache. If the |
| passwords match, and if the cached entry is not too old, |
| <module>mod_ldap</module> bypasses the search/bind phase.</p> |
| |
| <p>The search and bind cache is controlled with the <directive |
| module="mod_ldap">LDAPCacheEntries</directive> and <directive |
| module="mod_ldap">LDAPCacheTTL</directive> directives.</p> |
| </section> |
| |
| <section id="opcaches"><title>Operation Caches</title> |
| <p>During attribute and distinguished name comparison |
| functions, <module>mod_ldap</module> uses two operation caches |
| to cache the compare operations. The first compare cache is |
| used to cache the results of compares done to test for LDAP |
| group membership. The second compare cache is used to cache |
| the results of comparisons done between distinguished |
| names.</p> |
| |
| <p>The behavior of both of these caches is controlled with |
| the <directive module="mod_ldap">LDAPOpCacheEntries</directive> |
| and <directive module="mod_ldap">LDAPOpCacheTTL</directive> |
| directives.</p> |
| </section> |
| |
| <section id="monitoring"><title>Monitoring the Cache</title> |
| <p><module>mod_ldap</module> has a content handler that allows |
| administrators to monitor the cache performance. The name of |
| the content handler is <code>ldap-status</code>, so the |
| following directives could be used to access the |
| <module>mod_ldap</module> cache information:</p> |
| |
| <example> |
| <Location /server/cache-info><br /> |
| <indent> |
| SetHandler ldap-status<br /> |
| </indent> |
| </Location> |
| </example> |
| |
| <p>By fetching the URL <code>http://servername/cache-info</code>, |
| the administrator can get a status report of every cache that is used |
| by <module>mod_ldap</module> cache. Note that if Apache does not |
| support shared memory, then each <program>httpd</program> instance has its |
| own cache, so reloading the URL will result in different |
| information each time, depending on which <program>httpd</program> |
| instance processes the request.</p> |
| </section> |
| </section> |
| |
| <section id="usingssltls"><title>Using SSL</title> |
| |
| <p>The ability to create an SSL connections to an LDAP server |
| is defined by the directives <directive module="mod_ldap"> |
| LDAPTrustedCA</directive> and <directive module="mod_ldap"> |
| LDAPTrustedCAType</directive>. These directives specify the certificate |
| file or database and the certificate type. Whenever the LDAP url |
| includes <em>ldaps://</em>, <module>mod_ldap</module> will establish |
| a secure connection to the LDAP server.</p> |
| |
| <example> |
| # Establish an SSL LDAP connection. Requires that <br /> |
| # mod_ldap and mod_auth_ldap be loaded. Change the <br /> |
| # "yourdomain.example.com" to match your domain.<br /> |
| <br /> |
| LDAPTrustedCA /certs/certfile.der<br /> |
| LDAPTrustedCAType DER_FILE<br /> |
| <br /> |
| <Location /ldap-status><br /> |
| <indent> |
| SetHandler ldap-status<br /> |
| Order deny,allow<br /> |
| Deny from all<br /> |
| Allow from yourdomain.example.com<br /> |
| AuthLDAPEnabled on<br /> |
| AuthLDAPURL ldaps://127.0.0.1/dc=example,dc=com?uid?one<br /> |
| AuthLDAPAuthoritative on<br /> |
| Require valid-user<br /> |
| </indent> |
| </Location> |
| </example> |
| |
| <p>If <module>mod_ldap</module> is linked against the |
| Netscape/iPlanet LDAP SDK, it will not talk to any SSL server |
| unless that server has a certificate signed by a known Certificate |
| Authority. As part of the configuration |
| <module>mod_ldap</module> needs to be told where it can find |
| a database containing the known CAs. This database is in the same |
| format as Netscape Communicator's <code>cert7.db</code> |
| database. The easiest way to get this file is to start up a fresh |
| copy of Netscape, and grab the resulting |
| <code>$HOME/.netscape/cert7.db</code> file.</p> |
| |
| </section> |
| |
| <directivesynopsis> |
| <name>LDAPSharedCacheSize</name> |
| <description>Size in bytes of the shared-memory cache</description> |
| <syntax>LDAPSharedCacheSize <var>bytes</var></syntax> |
| <default>LDAPSharedCacheSize 102400</default> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the number of bytes to allocate for the shared |
| memory cache. The default is 100kb. If set to 0, shared memory |
| caching will not be used.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPSharedCacheFile</name> |
| <description>Sets the shared memory cache file</description> |
| <syntax>LDAPSharedCacheFile <var>directory-path/filename</var></syntax> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the directory path and file name of the shared memory |
| cache file. If not set, anonymous shared memory will be used if the |
| platform supports it.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPCacheEntries</name> |
| <description>Maximum number of entries in the primary LDAP cache</description> |
| <syntax>LDAPCacheEntries <var>number</var></syntax> |
| <default>LDAPCacheEntries 1024</default> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the maximum size of the primary LDAP cache. This |
| cache contains successful search/binds. Set it to 0 to turn off |
| search/bind caching. The default size is 1024 cached |
| searches.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPCacheTTL</name> |
| <description>Time that cached items remain valid</description> |
| <syntax>LDAPCacheTTL <var>seconds</var></syntax> |
| <default>LDAPCacheTTL 600</default> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the time (in seconds) that an item in the |
| search/bind cache remains valid. The default is 600 seconds (10 |
| minutes).</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPOpCacheEntries</name> |
| <description>Number of entries used to cache LDAP compare |
| operations</description> |
| <syntax>LDAPOpCacheEntries <var>number</var></syntax> |
| <default>LDAPOpCacheEntries 1024</default> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>This specifies the number of entries <module>mod_ldap</module> |
| will use to cache LDAP compare operations. The default is 1024 |
| entries. Setting it to 0 disables operation caching.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPOpCacheTTL</name> |
| <description>Time that entries in the operation cache remain |
| valid</description> |
| <syntax>LDAPOpCacheTTL <var>seconds</var></syntax> |
| <default>LDAPOpCacheTTL 600</default> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the time (in seconds) that entries in the |
| operation cache remain valid. The default is 600 seconds.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPTrustedCA</name> |
| <description>Sets the file containing the trusted Certificate Authority certificate or database</description> |
| <syntax>LDAPTrustedCA <var>directory-path/filename</var></syntax> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>It specifies the directory path and file name of the trusted CA |
| <module>mod_ldap</module> should use when establishing an SSL |
| connection to an LDAP server. If using the Netscape/iPlanet Directory |
| SDK, the file name should be <code>cert7.db</code>.</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPTrustedCAType</name> |
| <description>Specifies the type of the Certificate Authority file</description> |
| <syntax>LDAPTrustedCAType <var>type</var></syntax> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>The following types are supported:<br /> |
| DER_FILE - file in binary DER format<br /> |
| BASE64_FILE - file in Base64 format<br /> |
| CERT7_DB_PATH - Netscape certificate database file ")</p> |
| </usage> |
| </directivesynopsis> |
| |
| <directivesynopsis> |
| <name>LDAPConnectionTimeout</name> |
| <description>Specifies the socket connection timeout in seconds</description> |
| <syntax>LDAPConnectionTimeout <var>seconds</var></syntax> |
| <contextlist><context>server config</context></contextlist> |
| |
| <usage> |
| <p>Specifies the timeout value (in seconds) in which the module will |
| attempt to connect to the LDAP server. If a connection is not |
| successful with the timeout period, either an error will be |
| returned or the module will attempt to connect to a secondary LDAP |
| server if one is specified. The default is 10 seconds.</p> |
| </usage> |
| </directivesynopsis> |
| |
| </modulesynopsis> |