(mm) Caching support in LDAP authentication module for apache 2.x
Home | Software | Count
Software:
GWT
  GWTOAuthLogin
X/Motif
  ansi xterm
  grabc
  mdgclock
  miv
  mplaymidi
  mppp
  mxascii
  mcmap
  mxcmap
  mxconsole
  mxkill
  mxshowfont
  qtip
  xmastm
  yrolo
Web
  mhttpd
  web counter
  upload.pl
  TimeTrack.pl
  mod_auth_ldap
Games
  fltkmm
  iphonemm
Java
   cdcl
   cdclgwt
   jdgclock
Libraries
  libcalen
  libmcfg
  libsll
  libmsock
Misc
  bangla font
  dpr
  genmake
  hod
  smtp.pl
  vhtml
  phones_ldap
  showpic_ldap
  mbasecalc
  fluid_hack
  kdialppp
  strip2csv
  googlecode-upload
MS Windows
  mwinclip.pl
  mbasecalc
  mailsend
  wiv

mod_auth_ldap v 2.16 for Apache 2.x

(Apache 2.0.49 as of May-23-2004)

[mod_auth_ldap Release With cache, v2.16 for Apache 2.x]

First Released with cache: Feb-16-2004
Last Updated (ChangeLog): May-23-2004

This document is about the caching mechanism in the LDAP authentication module for Apache 2.x. You should read the main mod_auth_ldap_apache2.html page for details. It'll be part of the main page as soon as I get some time.

The source is sitting in my disk for a while, so I'm writing up this quick note to get you started. In my initial testing, the code seems to be solid, but pelease give me your feedback. I'm interested to know how it performs in very large sites.

Download

Download Source v2.16
File: mod_auth_ldap2.16.tar.gz
Size: 548912 bytes
MD5 Checksum: 63097ef60eb53c16a89244cea5515c0d
Last updated: May-23-2004

Download Zipped v2.16 DLL for MS Windows
File: mod_auth_ldap2.16win.zip
Size: 388865 bytes
MD5 Checksum: 88c31c50a01d9f90155d8217dfc0108d
Last updated: May-23-2004

(Compiled with Apache 2.0.49)

Please read the instructions in the main mod_auth_ldap_apache2.html page for how to install the module. Note: The MS Windows DLL is compiled with Apache 2.0.48, that means you should use it wth Apache 2.0.48. It may or may not work with other version of Apache. Also it is compiled with iPlanet C SDK, so you've to get the dlls. Please look at the Notes in the download section in the main mod_auth_ldap_apache2.html page for the link of iPlanet LDAP C SDK.

For MS Windows, the DLL is compiled with apache 2.0.49, so use the DLL may or may not work with any other version of apache.

This is a development release. It has initial cut of memory and persistent disk based caching support. I'm releasing it so that you can play with it and give me feedback. This version has tons of bug fixes and improvements over the previous versions. So you should try this version even if you're not interested in caching support. If you've thousands of protected files, caching will improve server performence dramatically!

You can compile the support for both memory and disk based caching but can use only one.

For memory cache, the module uses the excellent libghthash library. I wasted lots of time with another hash library called hashit, which is simple but extremely unportable and and was buggy at the time I played with it. In the future release of the module, I'll add support for various heuristics libghthash supports. I'm supplying a slightly modified version of libghthash with the module.

For persistent cache, I use fast disk based database. Disk based cache is only tested with Berkeley db v4.2.52 available at http://www.sleepycat.com. Although the module has supporting code for gdbm, ndbm, sdbm etc, but they're not tested at the moment.

I only tested the module as a DSO, compiling in with Apache is not tested yet. If caching is enabled, in Unix the module runs order of magnitude faster than older versions. However in Windows, I noticed it's not as fast as Unix, probably because Windows version of Apache is threaded and large section ofcode is mutexed. I'll look into it.

Compatibily

LDAP_Persistent is gone. The new directive is LDAP_Persistent_G and it is a global directive and can be used in httpd.conf file only and can not be used in side <Directory>, <Location> etc. The global directives have _G at the end. The cache related directives are all global directives.

Compile with memory and disk based cache support in Unix

$ gunzip < mod_auth_ldap2.16.tar.gz | tar xvf -
$ cd mod_auth_ldap2.16
$ ./configure --with-mem-cache \
   --with-apache-dir=/usr/local/apache2 \
   --with-ldap-dir=/usr/local/iplanet \
   --with-apxs \
   --with-disk-cache-db=/usr/local/BerkeleyDB4.2.52
$ make
$ make install
Note: the path of Berkeley db 4.2.52 is specified with the flag --with-disk-cache.

If you do not want caching support:

$ ./configure --with-apache-dir=/usr/local/apache2 \
   --with-apxs \
   --with-ldap-dir=/usr/local/iplanet
$ make
$ make install
Please read mod_auth_ldap_apache2.html for details on how to use the module.

This version of the module has more features, you've to look at the code for that or wait till I document it.

Directives for memory caching (global directives)


# Turn on memory caching
    LDAP_UseMemoryCache_G   On
# Size of hash table
    LDAP_HashTableSize_G    1024
# Expire cahce after these many seconds. Default is 300 seconds
    LDAP_CacheTTL_G       600

Note: LDAP_HashTableSize_G specifies the maximum number of entries hash table can hold. To get best performence hash table should not be more than 75% full. It'll hold entries by chaining after the table is full, but performence will degrade. There's a way you can set a handler in the module to see the status of hash table, read the source for it. I'll talk more about internal of hash table etc in the next release.

Directives for persistent disk based Caching (global directives)


# Turn of disk based caching
    LDAP_UseDiskCache_G     On
# Path of a  web writable directory. It must exist. A fast disk based dbm
# will be created there by the web server
    LDAP_CacheDbDirPath_G   /usr/local/apache/mod_auth_ldap_disk_cache
# Expire cahce after these many seconds. Default is 300 seconds
    LDAP_CacheTTL_G       600
    SupportNestedGroups_G   Off

By global directives, it means that those directives can be used only in the server httpd.conf file and can not be used inside <Directory>, <Location> etc.

Example (memory cache)

This example is authorizing user mmtest as member of Group "Domain Guests" in a MS Windows Active Directory. It has nothing to do with group authorization in AD, my httpd.conf happened to be setup for this at the moment.

# Global directives
LDAP_Persistent_G On
LDAP_UseMemoryCache_G On
LDAP_CacheTTL_G 600
LDAP_HashTableSize_G 2048
SupportNestedGroups_G Off

<Directory "/usr/local/apache/htdocs/foo">
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthAuthoritative Off
AuthName "Foo Bar staff only"
AuthType Basic
#AuthOnBind Off
#Sub_DN ou=CIS,ou=People
Bind_Tries 5
LDAP_Debug On
#LDAP_Deref NEVER
#LDAP_StartTLS On
##LDAP_Server 10.100.30.8
##LDAP_Port 389
# Connect timeout in seconds #LDAP_Connect_Timeout 3
# If SSL is on, must specify the LDAP SSL port, usually 636
#LDAP_Port 636
#LDAP_CertDbDir /usr/foo/ssl
##Base_DN "o=Fox Chase Cancer Center,c=US"
# In Windows 2003
LDAP_Protocol_Version 3
LDAP_Server 192.168.0.1
LDAP_Port 389
Base_DN "DC=muquit,DC=com"
Bind_DN "cn=mmtest,cn=Users,dc=muquit,DC=com"
Bind_Pass "mmtest"
UID_Attr cn
Group_Attr member
#require group "CN=Domain Admins,CN=Users"
require group "CN=Domain Guests,CN=Users"
</Directory>

Persistent disk based cache

# Global directives
LDAP_Persistent_G On
LDAP_CacheTTL_G 600
LDAP_UseDiskCache_G On

# path of a writable directory by the web server.
# it's not the path of the database, a database named mod_auth_ldap_cache.db will be created
# inside this directory by web server.
LDAP_CacheDbDirPath_G "/opt/muquit/mod_auth_ldap_disk_cache"

<Directory "/usr/local/apache/htdocs/foo">
Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthAuthoritative Off
AuthName "Foo Bar staff only"
AuthType Basic
#AuthOnBind Off
#Sub_DN ou=CIS,ou=People
Bind_Tries 5
LDAP_Debug On
#LDAP_Deref NEVER
#LDAP_StartTLS On
##LDAP_Server 10.100.30.8
##LDAP_Port 389
# Connect timeout in seconds #LDAP_Connect_Timeout 3
# If SSL is on, must specify the LDAP SSL port, usually 636
#LDAP_Port 636
#LDAP_CertDbDir /usr/foo/ssl
##Base_DN "o=Fox Chase Cancer Center,c=US"
# In Windows 2003
LDAP_Protocol_Version 3
LDAP_Server 192.168.0.1
LDAP_Port 389
Base_DN "DC=muquit,DC=com"
Bind_DN "cn=mmtest,cn=Users,dc=muquit,DC=com"
Bind_Pass "mmtest"
UID_Attr cn
Group_Attr member
#require group "CN=Domain Admins,CN=Users"
require group "CN=Domain Guests,CN=Users"
</Directory>

Caching Mechanism

Just FYI, the module does not cache plain text password in any event. The password stored in memory is MD5 crypted, so even if the server cores for some reason, if the passwords are strong, dictionary attack will be hard. Same goes for disk based caching. However, use disk based caching with caution as MD5 crypted passwords are stored in the database. So, if someone can get hold of your database, dictionary attack can be launched. I added this feature as some people asked for it. Disk based caching can be very useful in certain situation. I'll leave it with your imagination. Use it only if you've enough confidence that no one will be able to get hold of the database.

The following flow diagrams show the caching mechanism:

PDF version: cache.pdf

PDF version: cache_group.pdf

The authorization flow is similar as above if user is authorized by a LDAP attribute or by a LDAP filter.

Please let me know if you see any problem with the mechanism. Suggestions bug reports are always welcome!

ChageLog

    2.16

  • The directive SupportNestedGroups is a global directive and changed to SupportNestedGroups_G. Nested group code was broken as well. Thanks to james jurack for reporting it.

  • Do not specify LDAP_Persistent_G Off. This code may have some bugs.
    (May-23-2004)

    v2.15

  • If Uid_Attr_Alt is set, the module could crash if debugging is on. Also none of the environment variables were set if the authentication was done from cache. Thanks to fpinho for reporting the bug.
    (May-02-2004)

  • If authentication is done from cache, a new env variable MOD_AUTH_LDAP_CACHE_TYPE will be set. The value of this variable will be set to "Memory" or "Disk".
    (May-02-2004)

    v2.14

  • The multiple group, filter or any ldap attribute can be specified. That means if you specifiy 3 different group with require group, all of them will be checked for authorization. In earlier version, only the first line was used. example,
    require group cn=itstaff,ou=Groups
    require group cn=webgroup,ou=Groups
    require group cn=foogroup,ou=Groups
    
    or
    require telephonenumber 215-123-4567
    require telephonenumber 610-678-9012
    
    or
    require filter "(mail=muquit@muquit.com)"
    require filter "(mail=foo@bar.com)"
    require filter "(mail=bar@example.com)"
    

    (Apr-25-2004)

  • Caching was not working for filter directive.
    (Apr-25-2004)

    v2.13

  • First release with memory and disk based cache support.
    (Feb-16-2004)

Go to Main page: mod_auth_ldap_apache2.html.
-- 
Muhammad A Muquit, muquit@muquit.com
Updated: Feb-16-2004 
back Page updated: Sun Mar 31 01:59:56 2013 GMT   Copyright © 2013 muquit@muquit.com.