saslauthd performance anxiety

Igor Brezac igor at ipass.net
Fri Jan 10 00:33:17 EST 2003


On Thu, 9 Jan 2003, Jeremy Rumpf wrote:

>
> On Thursday 09 January 2003 03:55 pm, Paul M Fleming wrote:
> > Timing out the passwords is simple ( I think ) I would store the time
> > when the entry is added and force a reauth if the password has been
> > cached longer than a timeout (for example one hour ). That forces a
> > reauth at least every timeout period of time. If an entry isn't in the
> > cache (or if it is different the entry would be removed and ) a reauth
> > would be forced. Every successfull auth would be added to the cache.
> >
>
> Some time ago I wrote a plugin for the Netscape/iPlanet Directory server that
> intercepted bind authentications and passed them off to a kerberos backend.
> It allowed us to integrate LDAP services with our Kerberos environment.
> Anyhow, it implemented just this, with the timeouts and all. I also
> implemented a checkpoint feature where the hash table was periodically dumped
> to a file. That way if you restarted the LDAP server you wouldn't lose you're
> cached entries. You can grab a copy of the plugin at:
>
> ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/krbdirp-1.2.0.tar.gz
>
> Look in the file krbdirp.c, specifically at the function
> validate_with_cache(). The text file CACHE also has some thoughts and ideas.
>
> The LDAP directory was used for an iPlanet mail setup to store user
> information. The idea of the credential cache has worked quite well.
> Implementing it for saslauthd would be a nice feature.
>
> I'd be more than willing to help/contribute to the effort.
>
> Cheers,
> Jeremy
>

I agree.  I know Simon would like this feature.  :)  Openldap APIs have
client side cache, but I think it has some issues.

saslauthd needs to remain a 'light' process.  It is really a helper
program for 'big' servers such as cyrus, sendmail, postfix, etc..

You might want to check out http://www.ossp.org/pkg/lib/mm/ for a portable
IPC library.

-- 
Igor







More information about the Info-cyrus mailing list