Fwd: mech_step takes long to return
Michael Bacon
baconm at email.unc.edu
Tue Oct 23 12:09:01 EDT 2007
It looks like AIX 5.2 has a new implementation of /dev/urandom, and that
other applications are seeing slowness in the device:
http://www.webservertalk.com/archive92-2004-5-151843.html
Not much that SASL can do if the OS won't give it randomness quickly.
-Michael
--On Tuesday, October 23, 2007 5:59 PM +0530 Aditya Khasnis
<aditya.khasnis at criticalpath.net> wrote:
> Thank you for you suggestion Rudy, I changed the config.h as mentioned
> but the performance didn't improve.
>
> It still takes a long in mech_step. Should I check anything else?
>
> Regards,
> Aditya
>
> -----Original Message-----
> Re: Fwd: mech_step takes long to return
> From : Rudy Gevaert <Rudy.Gevaert at ugent.be>
> To: aditya.khasnis at criticalpath.net
> CC: cyrus-devel at lists.andrew.cmu.edu
> Date: Tuesday 23 October 2007 17:44
>
>
>> Aditya Khasnis wrote:
>> > Hello,
>> >
>> > We have a LDAP server that uses Cyrus SASL library v 1.5.27.
>> >
>> > On AIX 5.2, we observe that the SASL searches take long to return. The
>> > behavior is such that the first SASL search that we fire returns fast
>> > but the subsequent search takes long time to return.
>> >
>> > I have tried to debug SASL library and in the place where it takes long
>> > is the function sasl_server_start(), and exact location is line 1205.
>> >
>> > It will be great if you great if you could provide us any guidance to
>> > debug the problem. The mechanism we are using in the search is
>> > DIGEST-MD5.
>>
>> Slowdown in Sasl is most of the time related to the lack of entropy.
>>
>> Q: I'm having performance problems on each authentication, there is a
>> noticeable slowdown when sasl initializes, what can I do?
>>
>> A:libsasl reads from /dev/random as part of its initialization.
>> /dev/random is a "secure" source of entropy, and will block your
>> application until a sufficient amount of randomness has been collected
>> to meet libsasl's needs.
>>
>> To improve performance, you can change DEV_RANDOM in config.h to be
>> /dev/urandom and recompile libsasl. /dev/urandom offers less secure
>> random numbers but should return immediately. The included mechanisms,
>> besides OTP and SRP, use random numbers only to generate nonces, so
>> using /dev/urandom is safe if you aren't using OTP or SRP.
>>
>> (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html)
More information about the Cyrus-devel
mailing list