Fwd: mech_step takes long to return
aditya.khasnis at criticalpath.net
Wed Oct 24 08:25:31 EDT 2007
I replaced "DEV_RANDOM" to "/dev/urandom" saslutil.c, somehow the change in
config.h was not affecting the SASL library when I tried this yesterday ( as
per Rudy's suggestion). I will check why this happened.
The good news is we are able to get the search results back in a normal
fashion i.e. quickly.
Should we file a request to take this AIX problem into consideration in the
SASL code? I think everyone who will use the SASL library on AIX 5.2 will
face the same issue.
I am very thankful to Rudy and you for the help provided, we highly appreciate
Thanks and Regards,
---------- Forwarded Message ----------
Subject: Re: Fwd: mech_step takes long to return
Date: Wednesday 24 October 2007 09:19
From: Aditya Khasnis <aditya.khasnis at criticalpath.net>
To: Michael Bacon <baconm at email.unc.edu>
Cc: Rudy Gevaert <Rudy.Gevaert at ugent.be>, cyrus-devel at lists.andrew.cmu.edu
Thanks for your inputs Michael. I will try out a few things and let you know
how it goes.
Re: Fwd: mech_step takes long to return
From : Michael Bacon <baconm at email.unc.edu>
To: aditya.khasnis at criticalpath.net, Rudy Gevaert <Rudy.Gevaert at ugent.be>
CC: cyrus-devel at lists.andrew.cmu.edu
Date: Tuesday 23 October 2007 21:39
> It looks like AIX 5.2 has a new implementation of /dev/urandom, and that
> other applications are seeing slowness in the device:
> Not much that SASL can do if the OS won't give it randomness quickly.
> --On Tuesday, October 23, 2007 5:59 PM +0530 Aditya Khasnis
> <aditya.khasnis at criticalpath.net> wrote:
> > Thank you for you suggestion Rudy, I changed the config.h as mentioned
> > but the performance didn't improve.
> > It still takes a long in mech_step. Should I check anything else?
> > Regards,
> > Aditya
> > -----Original Message-----
> > Re: Fwd: mech_step takes long to return
> > From : Rudy Gevaert <Rudy.Gevaert at ugent.be>
> > To: aditya.khasnis at criticalpath.net
> > CC: cyrus-devel at lists.andrew.cmu.edu
> > Date: Tuesday 23 October 2007 17:44
> >> Aditya Khasnis wrote:
> >> > Hello,
> >> >
> >> > We have a LDAP server that uses Cyrus SASL library v 1.5.27.
> >> >
> >> > On AIX 5.2, we observe that the SASL searches take long to return. The
> >> > behavior is such that the first SASL search that we fire returns fast
> >> > but the subsequent search takes long time to return.
> >> >
> >> > I have tried to debug SASL library and in the place where it takes
> >> > long is the function sasl_server_start(), and exact location is line
> >> > 1205.
> >> >
> >> > It will be great if you great if you could provide us any guidance to
> >> > debug the problem. The mechanism we are using in the search is
> >> > DIGEST-MD5.
> >> Slowdown in Sasl is most of the time related to the lack of entropy.
> >> Q: I'm having performance problems on each authentication, there is a
> >> noticeable slowdown when sasl initializes, what can I do?
> >> A:libsasl reads from /dev/random as part of its initialization.
> >> /dev/random is a "secure" source of entropy, and will block your
> >> application until a sufficient amount of randomness has been collected
> >> to meet libsasl's needs.
> >> To improve performance, you can change DEV_RANDOM in config.h to be
> >> /dev/urandom and recompile libsasl. /dev/urandom offers less secure
> >> random numbers but should return immediately. The included mechanisms,
> >> besides OTP and SRP, use random numbers only to generate nonces, so
> >> using /dev/urandom is safe if you aren't using OTP or SRP.
> >> (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html)
More information about the Cyrus-devel