saslauthd performance anxiety

Paul M Fleming pfleming at siumed.edu
Thu Jan 9 14:45:41 EST 2003


Related to this thread... I am considering writing a generic cache layer
into saslauthd to lessen the load on the backend auth mechanism. My idea
is to implement a hash table in shared memory and use that to cache the
userid,password etc with a timeout. This should lighten the load ..
Comments? Ideas? Suggestions??

Igor Brezac wrote:
> 
> On Thu, 9 Jan 2003, Rob Siemborski wrote:
> 
> > Done.
> >
> > Someone should sanity-check the documentation I put in LDAP_SASLAUTHD.
> >
> 
> Looks good.
> 
> I do not see when '2. There is no cost to staying bound as a named user'
> would be false.  Maybe for backends other then ldbm|bdb.  It will cause
> extra disconnect|reconnect to the ldap server for LDAPv2 connections.
> Saslauthd will always try to connect LDAPv3 first.  But this is the case
> for the bind method as well.
> 
> -Igor
> 
> > -Rob
> >
> > On Thu, 9 Jan 2003, Igor Brezac wrote:
> >
> > >
> > > On Fri, 10 Jan 2003 simon.brady at otago.ac.nz wrote:
> > >
> > > > On Wed, 1 Jan 2003, Igor Brezac wrote:
> > > >
> > > > > On Wed, 1 Jan 2003 simon.brady at otago.ac.nz wrote:
> > > > >  [...]
> > > > > > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > > > > > options, either on the command line or in saslauthd.conf, which I should
> > > > > > be looking at?
> > > > >
> > > > > Try using 'ldap_auth_method: custom'.  It is up to three times faster
> > > > > than the 'bind' method.
> > > >
> > > > Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
> > > > us, although we certainly could have benefited from it. The reason we
> > > > can't use it is that to support password migration our shell back-end does
> > > > mad things like:
> > > >
> > > >    try binding to new server;
> > > >    if (failure) {
> > > >       try binding to old server;
> > > >       if (success)
> > > >          update user password in new server for next time;
> > > >    }
> > > >
> > > > Don't look at me, I just inherited it :-)
> > > >
> > > > This logic (to use the term loosely) makes it impossible to return a
> > > > sensible response to a search on userPassword. Instead, I committed a
> > > > gross hack and implemented a new method called auth_fastbind. It does away
> > > > with the search and extra anonymous bind in auth_bind by making two
> > > > assumptions:
> > > >
> > > >    1. Expanding the ldap_filter expression gives the fully-qualified DN
> > > >    2. There is no cost to staying bound as a named user
> > > >
> > > > These held for our shell back-end, but I don't know how applicable they
> > > > are to wider use. Still, if anyone's interested I've attached the patch
> > > > (against 2.1.10).
> > > >
> > >
> > > I like this patch.  This can work well for quite a few people.  Rob, can
> > > you apply this patch?
> > >
> > > --
> > > Igor
> > >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> > Research Systems Programmer * /usr/contributed Gatekeeper
> >
> >
> 
> --
> Igor




More information about the Info-cyrus mailing list