This module was created to improve the performance of websites relying on backend connections to LDAP servers. In addition to the functions provided by the standard LDAP libraries, this module adds an LDAP connection pool and an LDAP shared memory cache.
To enable this module, LDAP support must be compiled into
apr-util. This is achieved by adding the --with-ldap
flag to the ./configure
script when building
Apache.
SSL support requires that
The following is an example configuration that uses
LDAP connections are pooled from request to request. This allows the LDAP server to remain connected and bound ready for the next request, without the need to unbind/connect/rebind. The performance advantages are similar to the effect of HTTP keepalives.
On a busy server it is possible that many requests will try and access the same LDAP server connection simultaneously. Where an LDAP connection is in use, Apache will create a new connection alongside the original one. This ensures that the connection pool does not become a bottleneck.
There is no need to manually enable connection pooling in the Apache configuration. Any module using this module for access to LDAP services will share the connection pool.
For improved performance,
The process of doing a search and then a bind is the most time-consuming aspect of LDAP operation, especially if the directory is large. The search/bind cache is used to cache all searches that resulted in successful binds. Negative results (i.e., unsuccessful searches, or searches that did not result in a successful bind) are not cached. The rationale behind this decision is that connections with invalid credentials are only a tiny percentage of the total number of connections, so by not caching invalid credentials, the size of the cache is reduced.
The search and bind cache is controlled with the
During attribute and distinguished name comparison
functions,
The behavior of both of these caches is controlled with
the
ldap-status
, so the
following directives could be used to access the
By fetching the URL http://servername/cache-info
,
the administrator can get a status report of every cache that is used
by httpd
instance has its
own cache, so reloading the URL will result in different
information each time, depending on which httpd
instance processes the request.
The ability to create an SSL connections to an LDAP server
is defined by the directives
If cert7.db
database. The easiest way to get this file is to start up a fresh
copy of Netscape, and grab the resulting
$HOME/.netscape/cert7.db
file.
Specifies the number of bytes to allocate for the shared memory cache. The default is 100kb. If set to 0, shared memory caching will not be used.
Specifies the directory path and file name of the shared memory cache file. If not set, anonymous shared memory will be used if the platform supports it.
Specifies the maximum size of the primary LDAP cache. This cache contains successful search/binds. Set it to 0 to turn off search/bind caching. The default size is 1024 cached searches.
Specifies the time (in seconds) that an item in the search/bind cache remains valid. The default is 600 seconds (10 minutes).
This specifies the number of entries
Specifies the time (in seconds) that entries in the operation cache remain valid. The default is 600 seconds.
It specifies the directory path and file name of the trusted CA
cert7.db
.
The following types are supported:
DER_FILE - file in binary DER format
BASE64_FILE - file in Base64 format
CERT7_DB_PATH - Netscape certificate database file ")