Saslauthd constantly increasing memory use, solved by enablingcaching. Why?

wright at mnstarfire.com wright at mnstarfire.com
Tue Nov 1 12:24:12 EDT 2011 

I was noticing a memory leak on our server and this discussion makes me 
wonder if this is the culprit. 

When you say ""decided to enable SASLAUTHD caching with the -c flag" 
can you clarify exactly where you did this?

Thank you,
- John

On Tue, 1 Nov 2011 11:19:23 -0500, "ktm at rice.edu"  wrote:
On Tue, Nov 01, 2011 at 12:14:28PM -0400, Mark London wrote:
> > ktm at rice.edu wrote:
> > >On Tue, Nov 01, 2011 at 11:57:57AM -0400, Mark London wrote:
> > >>Hi - On RHEL 6, with the latest updates, I have SASLAUTHD configured
> > >>to use PAM authentication.  I'm also running SSSD. U sing this
> > >>configuration, the SASLAUTHD processes would gradually increase
> > >>memory usage.  After running for several days, each process was
> > >>using up about 680M.  Are there any known memory leaks when using
> > >>PAM?  I've found posts on the web from people complaining about PAM
> > >>memory leaks, but am not sure they still exists.  In any event, I'm
> > >>also experiencing that about once a week, SASLAUTHD starts recording
> > >>time out errors when trying to contact SSSD, i.e. 
> > >>"pam_sss(imap:auth): Request to sssd failed. Timer expired."   I
> > >>decided to enable SASLAUTHD caching with the -c flag, and was
> > >>surprised to discover that the SASLAUTHD processes no longer use up
> > >>significant memory (i.e. they are now using < 10M)!  Can anyone
> > >>explain this behavior?  Thanks. - Mark
> > >Each trip through the PAM stack loses some memory. When you turn on
> > >caching, you make a single trip for each authentication via SASL
> > >and then it uses the cached copy from then on. This bounds your
> > >memory use to N x num-users. Without caching, the growth as you
> > >found is unbounded. 
> > > Thanks for the info!  But without caching, does the Mailman related
> > memory use, eventually get freed up?
>
> Do not quote me, but there is a problem with the SASL spec and the
> needs of the PAM stack that cause the leak and the only way to free the
> space is to restart saslauthd. 
>
> > > Also, are there any bad side effects from turning on caching?  If
> > not, why isn't it the default?
> > > - Mark
>
> When you have auth = authz, then it is more work to lock an account
> because the old cached credentials continue to work until they are
> removed. 
>
> Ken
>
>

More information about the Cyrus-sasl mailing list