Does mod_auth_sspi rely on persistent connections to the AD? Does mod_auth_sspi use a connection pool and/or rely on persistent connections to the AD? I've come across timeout issues like this with LDAP/AD integrations, where the AD admins would not allow persistent connections, which would break SVN once all the connections in the pool were dead, and mod_ldap wouldn't recover from this (by knowing to drop and refresh dead connections).
Hope that helps, R. On Mon, Jan 11, 2010 at 2:25 PM, Dave Purrington <dave.purring...@gmail.com>wrote: > Hello, > > Lately we have been experiencing intermittent timeouts with our Subversion > operations. It does not happen initially, but after a while it starts > happening. Restarting Apache alleviates the problem, but it comes back after > a time. As you can imagine, this wreaks havoc. > > Our operating environment: > > - server - Windows 2003 > - Apache 2.2.13 > - Subversion server 1.6.3 > - Subversion client 1.6.6 > - mod_auth_sspi 1.0.4-2.0.58 > - 200+ very active users, ~74K files > > We have been doing a lot of things to try and mitigate the situation, but > to no avail. Changes have included: > > - tweaking the memory module settings (WinNT MPM) > - packing the shards > - trimming hooks down to minimal activity > - monitoring system resources for spikes (none found, plenty of > headroom, no queueing, etc) > - examining the error and access logs (nothing interesting found) > > One thing we cannot get much of a view into is the SSPI authentication > module (mod_auth_sspi). It does not seem to have any instrumentation. Has > anyone experienced timeouts or deadlocks with this module? Google isn't > turning up anything interesting. I've viewed the SVN interactions in > Wireshark. A normal sequence of operations is: > > 1. client: svn log request > 2. server: 401, authorization required > 3. client: send creds > > In the hang scenario, we see just the initial client request (#1). Does > this help or hurt the theory that the mod_auth_sspi/AD interaction is > causing the problem? My next idea is to allow anonymous read access to the > repo, which may help prove that the authentication mechanism is someone > responsible. If nothing else, it should improve the performance. > > Lastly, it might be worth mentioning that I have exposed the same SVN repo > on two different endpoints in Apache. That is, I have two location elements > (with different paths) but they both point to the same repo path. Is there > any problem with doing this? > > Thanks for reading. Please let me know if you have any ideas. > > Regards, > Dave Purrington > >
