Fwd: mech_step takes long to return

Aditya Khasnis aditya.khasnis at criticalpath.net
Wed Oct 24 08:25:31 EDT 2007


Hello Micheal,

I replaced "DEV_RANDOM" to "/dev/urandom" saslutil.c, somehow the change in 
config.h was not affecting the SASL library when I tried this yesterday ( as 
per Rudy's suggestion). I will check why this happened.

The good news is we are able to get the search results back in a normal 
fashion i.e. quickly.

Should we file a request to take this AIX problem into consideration in the 
SASL code? I think everyone who will use the SASL library on AIX 5.2 will 
face the same issue.

I am very thankful to Rudy and you for the help provided, we highly appreciate 
the help.

Thanks and Regards,
Aditya

----------  Forwarded Message  ----------

Subject: Re: Fwd: mech_step takes long to return
Date: Wednesday 24 October 2007 09:19
From: Aditya Khasnis <aditya.khasnis at criticalpath.net>
To: Michael Bacon <baconm at email.unc.edu>
Cc: Rudy Gevaert <Rudy.Gevaert at ugent.be>, cyrus-devel at lists.andrew.cmu.edu

Thanks for your inputs Michael. I will try out a few things and let you know
how it goes.

Regards,
Adi

-----Original Message-----
 Re: Fwd: mech_step takes long to return
 From : Michael Bacon <baconm at email.unc.edu>
 To: aditya.khasnis at criticalpath.net, Rudy Gevaert <Rudy.Gevaert at ugent.be>
 CC: cyrus-devel at lists.andrew.cmu.edu
 Date: Tuesday 23 October 2007 21:39

> It looks like AIX 5.2 has a new implementation of /dev/urandom, and that
> other applications are seeing slowness in the device:
>
> http://www.webservertalk.com/archive92-2004-5-151843.html
>
> Not much that SASL can do if the OS won't give it randomness quickly.
>
> -Michael
>
> --On Tuesday, October 23, 2007 5:59 PM +0530 Aditya Khasnis
>
> <aditya.khasnis at criticalpath.net> wrote:
> > Thank you for you suggestion Rudy, I changed the config.h as mentioned
> > but the  performance didn't improve.
> >
> > It still takes a long in mech_step. Should I check anything else?
> >
> > Regards,
> > Aditya
> >
> > -----Original Message-----
> >  Re: Fwd: mech_step takes long to return
> >  From : Rudy Gevaert <Rudy.Gevaert at ugent.be>
> >  To: aditya.khasnis at criticalpath.net
> >  CC: cyrus-devel at lists.andrew.cmu.edu
> >  Date: Tuesday 23 October 2007 17:44
> >
> >> Aditya Khasnis wrote:
> >> > Hello,
> >> >
> >> > We have a LDAP server that uses Cyrus SASL library v 1.5.27.
> >> >
> >> > On AIX 5.2, we observe that the SASL searches take long to return. The
> >> > behavior is such that the first SASL search that we fire returns fast
> >> > but the subsequent search takes long time to return.
> >> >
> >> > I have tried to debug SASL library and in the place where it takes
> >> > long is the function sasl_server_start(), and exact location is line
> >> > 1205.
> >> >
> >> > It will be great if you great if you could provide us any guidance to
> >> > debug the problem. The mechanism we are using in the search is
> >> > DIGEST-MD5.
> >>
> >> Slowdown in Sasl is most of the time related to the lack of entropy.
> >>
> >> Q: I'm having performance problems on each authentication, there is a
> >> noticeable slowdown when sasl initializes, what can I do?
> >>
> >>      A:libsasl reads from /dev/random as part of its initialization.
> >> /dev/random is a "secure" source of entropy, and will block your
> >> application until a sufficient amount of randomness has been collected
> >> to meet libsasl's needs.
> >>
> >>      To improve performance, you can change DEV_RANDOM in config.h to be
> >> /dev/urandom and recompile libsasl. /dev/urandom offers less secure
> >> random numbers but should return immediately. The included mechanisms,
> >> besides OTP and SRP, use random numbers only to generate nonces, so
> >> using /dev/urandom is safe if you aren't using OTP or SRP.
> >>
> >> (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html)

-------------------------------------------------------


More information about the Cyrus-devel mailing list