saslauthd performance anxiety
Jeremy Rumpf
jrumpf at heavyload.net
Thu Jan 9 20:19:55 EST 2003
On Thursday 09 January 2003 03:55 pm, Paul M Fleming wrote:
> Timing out the passwords is simple ( I think ) I would store the time
> when the entry is added and force a reauth if the password has been
> cached longer than a timeout (for example one hour ). That forces a
> reauth at least every timeout period of time. If an entry isn't in the
> cache (or if it is different the entry would be removed and ) a reauth
> would be forced. Every successfull auth would be added to the cache.
>
Some time ago I wrote a plugin for the Netscape/iPlanet Directory server that
intercepted bind authentications and passed them off to a kerberos backend.
It allowed us to integrate LDAP services with our Kerberos environment.
Anyhow, it implemented just this, with the timeouts and all. I also
implemented a checkpoint feature where the hash table was periodically dumped
to a file. That way if you restarted the LDAP server you wouldn't lose you're
cached entries. You can grab a copy of the plugin at:
ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/krbdirp-1.2.0.tar.gz
Look in the file krbdirp.c, specifically at the function
validate_with_cache(). The text file CACHE also has some thoughts and ideas.
The LDAP directory was used for an iPlanet mail setup to store user
information. The idea of the credential cache has worked quite well.
Implementing it for saslauthd would be a nice feature.
I'd be more than willing to help/contribute to the effort.
Cheers,
Jeremy
More information about the Info-cyrus
mailing list