saslauthd with mech "kerberos5" generates a lot of ldap-load
Thomas Harding
tom at thomas-harding.name
Wed Mar 28 11:01:22 EDT 2018
Le 28 mars 2018 09:31:50 GMT+02:00, thom_schu at gmx.de a écrit :
>Hi,
>
>> I presume you have /etc/nsswitch.conf configured to use sssd for
>user/group
>> resolution, and that you have 'auth_mech: unix' and
>'unix_group_enable: 1'
>> set in imapd.conf.
>>
>> If you do not make use of group based ACLs, consider turning off
>> unix_group_enable. If you do make use of it, use pts/ldap. "Unix"
>group
>> resolution can be very inefficient, as you would typically iterate
>over an
>> entire group tree to resolve group membership on each authentication.
>
>"unix_group_enable: 0" solved my problem, thank you !
>
>What for is the "auth_mech: unix" ? For group management I understand,
>I can have
>a mailbox for a group, then imap needs to know who is member of this
>group.
>
>But with "unix_group_enable: 0", what for is the auth_mech needed ?
That's the user/password database or other external authentication mechanisms (tickets, ...) such as Kerberos.
Normally, that's documented on man pages.
>When I shut down
>the local user management (sssd), everything seems to work.
>
>Thanks
--
Je suis née pour partager, non la haine, mais l'amour.
Sophocle, /Antigone, 442 av. JC
More information about the Cyrus-sasl
mailing list