Saslauthd constantly increasing memory use, solved by enabling caching. Why?

[ktm at rice.edu]

On Tue, Nov 01, 2011 at 12:14:28PM -0400, Mark London wrote:
> ktm at rice.edu wrote:
> >On Tue, Nov 01, 2011 at 11:57:57AM -0400, Mark London wrote:
> >>Hi - On RHEL 6, with the latest updates, I have SASLAUTHD configured
> >>to use PAM authentication.  I'm also running SSSD. U sing this
> >>configuration, the SASLAUTHD processes would gradually increase
> >>memory usage.  After running for several days, each process was
> >>using up about 680M.  Are there any known memory leaks when using
> >>PAM?  I've found posts on the web from people complaining about PAM
> >>memory leaks, but am not sure they still exists.  In any event, I'm
> >>also experiencing that about once a week, SASLAUTHD starts recording
> >>time out errors when trying to contact SSSD, i.e.
> >>"pam_sss(imap:auth): Request to sssd failed. Timer expired."   I
> >>decided to enable SASLAUTHD caching with the -c flag, and was
> >>surprised to discover that the SASLAUTHD processes no longer use up
> >>significant memory (i.e. they are now using < 10M)!  Can anyone
> >>explain this behavior?  Thanks. - Mark
> >Each trip through the PAM stack loses some memory. When you turn on
> >caching, you make a single trip for each authentication via SASL
> >and then it uses the cached copy from then on. This bounds your
> >memory use to N x num-users. Without caching, the growth as you
> >found is unbounded.
> 
> Thanks for the info!  But without caching, does the Mailman related
> memory use, eventually get freed up?

Do not quote me, but there is a problem with the SASL spec and the
needs of the PAM stack that cause the leak and the only way to free the
space is to restart saslauthd.

> 
> Also, are there any bad side effects from turning on caching?  If
> not, why isn't it the default?
> 
> - Mark

When you have auth = authz, then it is more work to lock an account
because the old cached credentials continue to work until they are
removed.

Ken