Issues with sasl under heavy load, configuration issue?
Paul Hasenohr
paul.hasenohr at jrc.it
Mon Apr 7 12:52:51 EDT 2008
Dear List,
I have configured OpenLDAP to use our MIT Kerberos server via saslauthd.
Access to the LDAP server is possible only as either an administrator
or a proxy user (cn=proxyuser,dc=cidsn,dc=jrc,dc=it).
I created a kerberos principal for proxyuser and used SASL to map
"cn=proxyuser..." to its kerberos principal.
All our servers (around 20) have processes requiring several connections
to the 4 LDAP servers every minute thus the proxyuser account is
intensively used (and many requests are made to the four KDCs).
Even if the servers making use of the LDAP servers are doing fine, I
found many errors in syslog on all our LDAP servers:
auth_krb5: k5support_verify_tgt
do_auth : auth failure: [user=proxyuser] [service=ldap] [realm=]
[mech=kerberos5] [reason=saslauthd internal error]
Related errors in krb5kdc.log:
Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 139.191.240.65: PROCESS_TGS: authtime 0, <unknown
client> for host/s-jrciprcid65v.cidsn.jrc.it at CIDSN.JRC.IT, Request is a
replay
Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): DISPATCH: repeated
(retransmitted?) request from 139.191.240.65, resending previous response
Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): AS_REQ (7 etypes {18
17 16 23 1 3 2}) 139.191.240.65: ISSUE: authtime 1207585176, etypes
{rep=16 tkt=16 ses=16}, proxyuser at CIDSN.JRC.IT for
krbtgt/CIDSN.JRC.IT at CIDSN.JRC.IT
I then made some tests with testsaslauthd as follows, changing repeatnum:
#testsaslauthd -u proxyuser -p PASSWORD_IN_CLEAR_TEXT -s ldap -R 1
0: OK "Success."
#testsaslauthd -u proxyuser -p PASSWORD_IN_CLEAR_TEXT -s ldap -R 5
0: OK "Success."
1: OK "Success."
2: NO "authentication failed"
3: OK "Success."
4: OK "Success."
-R 10 -> 9 Success / 2 Failed (on average)
-R 20 -> 13 Success / 7 Failed (avg 7, min 5, max 10)
-R 50 -> 27 Success / 23 Failed
I am running Debian Etch with current Debian packages:
* slapd 2.3.30-5
* sasl2-bin 2.1.22.dfsg1-8
* libsasl2-2 2.1.22.dfsg1-8
* krb5-kdc 1.4.4-7etch5
Could anyone please tell me if this behaviour is to be expected or how
this could be improved?
-Thanks
Best regards,
Paul Hasenohr
--
Paul HASENOHR
Community Image Data portal project
European Commission - Joint Research Centre
TP 266
Via Fermi 2149
21027 ISPRA (VA), ITALY
Tel: +39 0332 78 60 93 - Fax: +39 0332 78 63 69
Web site: http://mars.jrc.it
More information about the Cyrus-sasl
mailing list