Issues with sasl under heavy load, configuration issue?

Paul Hasenohr paul.hasenohr at jrc.it
Mon Apr 7 12:52:51 EDT 2008 

Dear List,

I have configured OpenLDAP to use our MIT Kerberos server via saslauthd. 
  Access to the LDAP server is possible only as either an administrator 
or a proxy user (cn=proxyuser,dc=cidsn,dc=jrc,dc=it).
I created a kerberos principal for proxyuser and used SASL to map 
"cn=proxyuser..." to its kerberos principal.
All our servers (around 20) have processes requiring several connections 
to the 4 LDAP servers every minute thus the proxyuser account is 
intensively used (and many requests are made to the four KDCs).

Even if the servers making use of the LDAP servers are doing fine, I 
found many errors in syslog on all our LDAP servers:
  auth_krb5: k5support_verify_tgt
do_auth : auth failure: [user=proxyuser] [service=ldap] [realm=] 
[mech=kerberos5] [reason=saslauthd internal error]

Related errors in krb5kdc.log:

Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): TGS_REQ (7 etypes 
{18 17 16 23 1 3 2}) 139.191.240.65: PROCESS_TGS: authtime 0,  <unknown 
client> for host/s-jrciprcid65v.cidsn.jrc.it at CIDSN.JRC.IT, Request is a 
replay
Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): DISPATCH: repeated 
(retransmitted?) request from 139.191.240.65, resending previous response
Apr 07 18:19:36 s-jrciprcid65v krb5kdc[1834](info): AS_REQ (7 etypes {18 
17 16 23 1 3 2}) 139.191.240.65: ISSUE: authtime 1207585176, etypes 
{rep=16 tkt=16 ses=16}, proxyuser at CIDSN.JRC.IT for 
krbtgt/CIDSN.JRC.IT at CIDSN.JRC.IT


I then made some tests with testsaslauthd as follows, changing repeatnum:
#testsaslauthd -u proxyuser -p PASSWORD_IN_CLEAR_TEXT -s ldap -R 1
0: OK "Success."

#testsaslauthd -u proxyuser -p PASSWORD_IN_CLEAR_TEXT -s ldap -R 5
0: OK "Success."
1: OK "Success."
2: NO "authentication failed"
3: OK "Success."
4: OK "Success."

-R 10 ->  9 Success / 2 Failed (on average)
-R 20 -> 13 Success / 7 Failed (avg 7, min 5, max 10)
-R 50 -> 27 Success / 23 Failed

I am running Debian Etch with current Debian packages:
   * slapd 2.3.30-5
   * sasl2-bin 2.1.22.dfsg1-8
   * libsasl2-2 2.1.22.dfsg1-8
   * krb5-kdc 1.4.4-7etch5

Could anyone please tell me if this behaviour is to be expected or how 
this could be improved?
-Thanks


Best regards,
Paul Hasenohr

-- 
Paul HASENOHR
Community Image Data portal project
European Commission - Joint Research Centre
TP 266
Via Fermi 2149
21027 ISPRA (VA), ITALY
Tel: +39 0332 78 60 93 - Fax: +39 0332 78 63 69
Web site: http://mars.jrc.it

More information about the Cyrus-sasl mailing list