saslauthd with mech "kerberos5" generates a lot of ldap-load

Dan White dwhite at olp.net
Tue Mar 27 11:03:44 EDT 2018


On 03/27/18 16:13 +0200, thom_schu at gmx.de wrote:
>our cyrus imap server is configured with "sasl_pwcheck_method: saslauthd" and the saslauthd with mech "kerberos5".
>Everything else we needed was a krb5.conf and a krb5.keytab, so far the authentication over imap works.
>
>On the mail server is also a sssd configured, so that the server knows all users from an ldap-server (samba4).
>Users are not allowed to login on this server. (ssh, local), but I think for postfix the server needs to know all users.
>
>If I turn off the sssd, imap-authentication still works. Means saslauthd doesnt need the local authentication service "sssd".
>So far it makes sense to me, saslauthd is configured for kerberos5.
>
>But when I turn on the sssd, imap-authentication still works, but when a user logs in over imap, the sssd resolves all ldap-groups
>from this user, and this generates a lot of ldap-load, so that the mail-server becomes very slow.
>
>So it seems, the saslauthd asks the local user-management for group-informations, is this right ?
>Is there any connection between the local user-management and saslauthd, although saslauthd is configured with kerberos5 ?

I presume you have /etc/nsswitch.conf configured to use sssd for user/group
resolution, and that you have 'auth_mech: unix' and 'unix_group_enable: 1'
set in imapd.conf.

If you do not make use of group based ACLs, consider turning off
unix_group_enable. If you do make use of it, use pts/ldap. "Unix" group
resolution can be very inefficient, as you would typically iterate over an
entire group tree to resolve group membership on each authentication.


More information about the Cyrus-sasl mailing list