Lemonldap::NG is designed to be very performant. In particular, it use Apache2 threads capabilities so to optimize performances, prefer using mpm-worker.

Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using the macro or the groups or local macros.

Macros and groups are calculated during authentication process by the portal:

  • macros are used to extend (or rewrite) exported variables. A macro is stored as attributes: it can contain boolean results or any string
  • groups are stored as space-separated strings in the special attribute "groups": it contains the names of groups whose rules were returned true for the current user

Example for macros:

# boolean macro
isAdmin -> $uid eq 'foo' or $uid eq 'bar'
# other macro 
displayName -> $givenName." ".$surName
# Use a boolean macro in a rule
^/admin -> $isAdmin
# Use a string macro in a HTTP header
Display-Name -> $displayName

Example for groups:

# group
admin -> $uid eq 'foo' or $uid eq 'bar'
# Use a group in a rule
^/admin -> $groups =~ /\badmin\b/

Macros and groups are stored in session database. Local macros is a special feature of handler that permit to have macros useable localy only. Those macros are calculated only at the first usage and stored in the local session cache (only for this server) and only if the user access to the related applications. This avoid to have to many datas stored.

# rule
admin -> $admin ||= ($uid eq 'foo' or $uid eq 'bar')
# header
Display-Name -> $displayName ||= $givenName." ".$surName
Note that this feature is interesting only for the Lemonldap::NG systems protecting a high number of applications

The portal is the biggest component of Lemonldap::NG. It is recommended to use ModPerl::Registry instead of using cgi-script as described in Apache configuration file example (portal-apache2.conf):

<Files *.pl>
    SetHandler perl-script
    PerlResponseHandler ModPerl::Registry

To make the portal start faster when the server is relaunched, add those lines in Apache configuration file (as described in portal-apache2.conf):

    require Lemonldap::NG::Portal::SharedConf;
        qw(delete header cache read_from_client cookie redirect unescapeHTML));
    # Uncomment this line if you use Lemonldap::NG menu
    require Lemonldap::NG::Portal::Menu;
    # Uncomment this line if you use portal SOAP capabilities
    require SOAP::Lite;

Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So Apache::Session module is not a problem for handlers. It can be a brake for the portal:

  1. When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an Apache::Session::Browseable module.
  2. Since MySQL does not have always transaction feature, Apache::Session::MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following

Replace MySQL by Apache::Session::Flex

In "Apache::Session module" field, set "Apache::Session::Flex" and use the following parameters:

Store      -> MySQL
Lock       -> Null
Generate   -> MD5
Serialize  -> Storable
DataSource -> dbi:mysql:sessions;host=...
UserName   -> ...
Password   -> ...

Use Apache::Session::Browseable

Apache::Session::Browseable is a wrapper for other Apache::Session modules that add the capability to manage indexes. To use it (with MySQL for example), choose "Apache::Session::Browseable::MySQL" as "Apache::Session module" and use the following parameters:

DataSource -> dbi:mysql:sessions;host=...
UserName   -> user
Password   -> password
Index      -> ipAddr uid

Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks.

A Apache::Session::Browseable::Redis has been created, it is the faster
Some Apache::Session module are not useable by Lemonldap::NG such as Apache::Session::Memcached since this module does not offer capability to browse sessions

LDAP server can be a brake when you use LDAP groups recovery. You can avoid this by setting "memberOf" fields in your LDAP scheme:

dn: uid=foo,dmdName=people,dc=example,dc=com
memberOf: cn=admin,dmdName=groups,dc=example,dc=com
memberOf: cn=su,dmdName=groups,dc=example,dc=com

So instead of using LDAP groups recovery, you just have to store "memberOf" field in your exported variables. With OpenLDAP, you can use the memberof overlay to do it automaticaly.

Don't forget to create an index on the field used to find users (uid by default)
To avoid having group dn stored in sessions datas, you can use a macro to rewrite memberOf:
  • Exported variables
ldapgroups -> memberOf
For now, ldapgroups contains "cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com"
  • A little macro:
ldapgroups -> join(" ",($ldapgroups =~ /cn=(.*?),/g))
Now ldapgroups contains "admin su"