(ITS#4791) privileged connections handling in proxy backends

[ando@sys-net.it]

Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.28.220.33)
Submitted by: ando


Privileged connections, under special circumstances, are cached and shared among
client-side connections.  This may result in very heavy traffic between the
proxy and the remote server(s) on a single connection.  As a consequence,
multiple issues may arise:

- heavy contention on the handler's resources
- requests limitation at the remote server side on a single connection (this
occurs if the remote server is OpenLDAP, but other implementations may follow
similar design)
- bottelneck whenever the shared connection needs be regenerated, i.e. because
it expires (conn-ttl)

As a workaround, a pool of privileged connections is proposed.  A fixed maximum
side pool is deisgned, so that whenever a privileged connection is requested,
the related list of connections is walked looking for an idle one (refcnt == 0).
 If found, it's moved to the tail, to provide a simple round-robin mech to avoid
reusing the same connections.  If none is found, a new connection is generated,
if use-temporary-conn is set to yes or the size limit is not reached, or the
thread idles waiting for one to become available.  If a new connection is
created and there's room for it in the list, it's appended.

Tests show a clear benefit on Linux when binding through back-ldap, since this
nicely works around the bottleneck created by sharing the bind connection when
operations are always proxied authz, to save network resources.  Another benefit
is represented by a clear smoothing of the response rates.  Previously, frequent
transients would occur, giving uneven response rates over time, while right now
steady rates under steady conditions are observed.

The patch is coming.

p.