Fwd: mech_step takes long to return

Michael Bacon baconm at email.unc.edu
Tue Oct 23 12:09:01 EDT 2007

It looks like AIX 5.2 has a new implementation of /dev/urandom, and that 
other applications are seeing slowness in the device:


Not much that SASL can do if the OS won't give it randomness quickly.


--On Tuesday, October 23, 2007 5:59 PM +0530 Aditya Khasnis 
<aditya.khasnis at criticalpath.net> wrote:

> Thank you for you suggestion Rudy, I changed the config.h as mentioned
> but the  performance didn't improve.
> It still takes a long in mech_step. Should I check anything else?
> Regards,
> Aditya
> -----Original Message-----
>  Re: Fwd: mech_step takes long to return
>  From : Rudy Gevaert <Rudy.Gevaert at ugent.be>
>  To: aditya.khasnis at criticalpath.net
>  CC: cyrus-devel at lists.andrew.cmu.edu
>  Date: Tuesday 23 October 2007 17:44
>> Aditya Khasnis wrote:
>> > Hello,
>> >
>> > We have a LDAP server that uses Cyrus SASL library v 1.5.27.
>> >
>> > On AIX 5.2, we observe that the SASL searches take long to return. The
>> > behavior is such that the first SASL search that we fire returns fast
>> > but the subsequent search takes long time to return.
>> >
>> > I have tried to debug SASL library and in the place where it takes long
>> > is the function sasl_server_start(), and exact location is line 1205.
>> >
>> > It will be great if you great if you could provide us any guidance to
>> > debug the problem. The mechanism we are using in the search is
>> > DIGEST-MD5.
>> Slowdown in Sasl is most of the time related to the lack of entropy.
>> Q: I'm having performance problems on each authentication, there is a
>> noticeable slowdown when sasl initializes, what can I do?
>>      A:libsasl reads from /dev/random as part of its initialization.
>> /dev/random is a "secure" source of entropy, and will block your
>> application until a sufficient amount of randomness has been collected
>> to meet libsasl's needs.
>>      To improve performance, you can change DEV_RANDOM in config.h to be
>> /dev/urandom and recompile libsasl. /dev/urandom offers less secure
>> random numbers but should return immediately. The included mechanisms,
>> besides OTP and SRP, use random numbers only to generate nonces, so
>> using /dev/urandom is safe if you aren't using OTP or SRP.
>> (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html)

More information about the Cyrus-devel mailing list