[PATCH][saslauthd] cyrus-sasl-2.1.10/saslauthd credential caching

Jeremy Rumpf jrumpf at heavyload.net
Tue Jan 14 18:17:25 EST 2003 

All,

I've been working on combining some of the ideas for a credential caching 
layer into saslauthd. This is the first release for review/comments/testing.

Changes:

Three files have been added to the saslauthd package:
 
 cache.c
 cache.h
 README.cache
 saslcache.c

Four files have been modified
 
 Makefile.am
 Makefile.in
 saslauthd-doors.c
 saslauthd-unix.c

The saslauthd executable now accepts three new command line switches.

-c	Enables the credential cache
-s	Sets the size of the credential cache in kilobytes
-t	Sets the timeout of items in the credential cache in seconds

A show_usage() function has been added that dumps all possible options out 
when an invalid command line switch is found:

./saslauthd: invalid option -- -
usage: saslauthd [options]

option information:
  -a <authmech>  Selects the authentication mechanism to use.
  -c             Enable credential caching.
  -d             Enables debugging, run in the foreground.
  -O <option>    Optional argument to pass to the authentication
                 mechanism.
  -m <path>      Alternate path for the mux socket, must be absolute.
  -n <threads>   Number of worker threads to create
  -s <kilobytes> Size of the credential cache (in kilobytes)
  -t <seconds>   Timeout for items in the credential cache (in seconds)
  -T             Honor time-of-day login restrictions.
  -v             Display version information and available
                 authentication mechanisms and exit.


The caching layer caches the username, realm, service, and an md5 hash of the 
passwords for all authentication mechanisms (LDAP, rimap, PAM, etc). It's 
been tested it on RedHat 7.2 Alpha and RedHat 7.3 Intel. I've also only been 
able to compile the modifications using the unix IPC option 
(saslauthd-unix.c). The same modifications have been made to the doors IPC 
option (saslauthd-doors.c), but have not been compiled or tested. More 
detailed information about the cache is in the README.cache file.

In addition to testsaslauthd, a second utility is included, saslcache. The 
saslcache utility can be used to attach to the shared memory segment and 
perform various tasks. The saslcache utility can be built by:

cd saslauthd
make saslcache 

Usage examples:

./saslcache -s          dumps out some information about the cache

----------------------------------------
Saslauthd Cache Detail:

  timeout (seconds)           :  28800
  total slots allocated       :  3643
  slots in use                :  3
  total buckets               :  21858
  buckets per slot            :  6
  buckets in use              :  3
  hash table size (bytes)     :  2098536
  bucket size (bytes)         :  96
  minimum slot allocation     :  0
  maximum slot allocation     :  1
  slots at maximum allocation :  3
  slots at minimum allocation :  3640
  overall hash table load     :  0.00

  hits*                       :  19
  misses*                     :  3
  total lookup attempts*      :  22
  hit ratio*                  :  86.36
----------------------------------------
* May not be completely accurate
----------------------------------------

./saslcache -d          dumps the contents of the cache in a csv format

"user","realm","service","created","created_localtime"
"m3","","imap","1042513583","Mon Jan 13 22:06:23 2003"
"m2","","imap","1042513256","Mon Jan 13 22:00:56 2003"
"m1","","imap","1042513355","Mon Jan 13 22:02:35 2003"


./saslcache -f          purges/deletes all entries in the cache

21858 entries purged

Todo:

Test the doors IPC stuff.
Test on alternate OSs (only linux so far)
Have someone help with the autoconf stuff. I'm not very familiar with autoconf 
and modeled the modifications after those for testsaslauthd. I'm not sure if 
they're entirely correct.

For testing one should probably run saslauthd with the -d switch. The cache 
will log information to syslog (LOG_INFO|LOG_AUTH). Optionally, one could use 
the saslcache utility. 

Log Example:

saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: not found, entry 
created
saslauthd[27772]: OK: user=m2 service=imap realm=
saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: found with valid 
passwd
saslauthd[27772]: OK: user=m2 service=imap realm=
saslauthd[20673]: cache_lookup: user=m2 realm= service=imap: found with 
invalid passwd, passwd synced
saslauthd[20673]: cache_purge : prior lookup purged
saslauthd[20673]: AUTHFAIL: user=m2 service=imap realm=


Anyhow, if anyone wants to give it a whirl. Here's a first patch attempt 
against cyrus-sasl-2.1.10:

ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.patch

Or, a fully patched tar of cyrus-sasl-2.1.10 at:

ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.tar.gz


Feedback welcome...

Cheers,
Jeremy

More information about the Info-cyrus mailing list