arr2036
commented
10 years ago Is it possible to disable caching with a configuration option, if not could this be added, if so is it disabled by default?
Closed nmadura closed 8 years ago
arr2036
commented
10 years ago Is it possible to disable caching with a configuration option, if not could this be added, if so is it disabled by default?
nmadura
commented
10 years ago That seems like a reasonable request, I will have to look into it, I will try to spend a few minutes on it over the weekend if possible.
arr2036
commented
10 years ago Just fixup the commits on this branch, no need to open another one.
jpereira
commented
8 years ago Thinking about that...
I guess that this could be a bad idea. Because, if you set a long cache period and in a middle of the time the user won/lost the granted permission.
The cache can permit or deny based in a wrong permission.
arr2036
commented
8 years ago Assuming this is dead...
The modifications to this module were written to reduce strain on radius servers when the client does not support cookies. Namely, the cookie storage mechanism works great when your client is a web browser or in a small environment.
However, in a larger enterprise environment where the radius server in-turn passes authentication off to ldap/kerb servers where negotiation is on the order of a second or two if the client does not support cookies, this authentication mechanism really starts to bog down.
Namely, we are using this module to authenticate our SVN clients over https, we were experiencing tremendous slowdowns when transferring larger numbers (10+) of changed files to the server. The slowdown occurred because the SVN clients don't support a cookie, so the full client <=> apache <=> radius <=> kerb path had to be traversed for every file that was being sent! So one file would take 2-3 seconds to transfer, 20 files were taking 40-60 seconds to transfer instead of a couple of seconds because of the amount of time that was required to handle the authentication.
By default authentication information is only held in the tables for 30 seconds, and the password is stored in it's xor'd form, this allows for repeated authentication attempts to be handled directly by the Apache server rather than by having to traverse through the radius environment. We have been using this modification for quite some time, and it seems to work rather well.
You should be able to fully deactivate the modified code by removing the #define USE_LOCAL_CACHE
Let me know if you have any questions.