Does mod_auth_sspi rely on persistent connections to the AD? Does
mod_auth_sspi use a connection pool and/or rely on persistent connections to
the AD? I've come across timeout issues like this with LDAP/AD integrations,
where the AD admins would not allow persistent connections, which would
break SVN once all the connections in the pool were dead, and mod_ldap
wouldn't recover from this (by knowing to drop and refresh dead
connections).
Hope that helps,
R.
On Mon, Jan 11, 2010 at 2:25 PM, Dave Purrington
<dave.purrington_at_gmail.com>wrote:
> Hello,
>
> Lately we have been experiencing intermittent timeouts with our Subversion
> operations. It does not happen initially, but after a while it starts
> happening. Restarting Apache alleviates the problem, but it comes back after
> a time. As you can imagine, this wreaks havoc.
>
> Our operating environment:
>
> - server - Windows 2003
> - Apache 2.2.13
> - Subversion server 1.6.3
> - Subversion client 1.6.6
> - mod_auth_sspi 1.0.4-2.0.58
> - 200+ very active users, ~74K files
>
> We have been doing a lot of things to try and mitigate the situation, but
> to no avail. Changes have included:
>
> - tweaking the memory module settings (WinNT MPM)
> - packing the shards
> - trimming hooks down to minimal activity
> - monitoring system resources for spikes (none found, plenty of
> headroom, no queueing, etc)
> - examining the error and access logs (nothing interesting found)
>
> One thing we cannot get much of a view into is the SSPI authentication
> module (mod_auth_sspi). It does not seem to have any instrumentation. Has
> anyone experienced timeouts or deadlocks with this module? Google isn't
> turning up anything interesting. I've viewed the SVN interactions in
> Wireshark. A normal sequence of operations is:
>
> 1. client: svn log request
> 2. server: 401, authorization required
> 3. client: send creds
>
> In the hang scenario, we see just the initial client request (#1). Does
> this help or hurt the theory that the mod_auth_sspi/AD interaction is
> causing the problem? My next idea is to allow anonymous read access to the
> repo, which may help prove that the authentication mechanism is someone
> responsible. If nothing else, it should improve the performance.
>
> Lastly, it might be worth mentioning that I have exposed the same SVN repo
> on two different endpoints in Apache. That is, I have two location elements
> (with different paths) but they both point to the same repo path. Is there
> any problem with doing this?
>
> Thanks for reading. Please let me know if you have any ideas.
>
> Regards,
> Dave Purrington
>
>
Received on 2010-01-11 22:20:16 CET