saslauthd performance anxiety

Igor Brezac igor at ipass.net
Thu Jan 9 13:56:20 EST 2003 

On Thu, 9 Jan 2003, Rob Siemborski wrote:

> Done.
>
> Someone should sanity-check the documentation I put in LDAP_SASLAUTHD.
>

Looks good.

I do not see when '2. There is no cost to staying bound as a named user'
would be false.  Maybe for backends other then ldbm|bdb.  It will cause
extra disconnect|reconnect to the ldap server for LDAPv2 connections.
Saslauthd will always try to connect LDAPv3 first.  But this is the case
for the bind method as well.

-Igor

> -Rob
>
> On Thu, 9 Jan 2003, Igor Brezac wrote:
>
> >
> > On Fri, 10 Jan 2003 simon.brady at otago.ac.nz wrote:
> >
> > > On Wed, 1 Jan 2003, Igor Brezac wrote:
> > >
> > > > On Wed, 1 Jan 2003 simon.brady at otago.ac.nz wrote:
> > > >  [...]
> > > > > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > > > > options, either on the command line or in saslauthd.conf, which I should
> > > > > be looking at?
> > > >
> > > > Try using 'ldap_auth_method: custom'.  It is up to three times faster
> > > > than the 'bind' method.
> > >
> > > Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
> > > us, although we certainly could have benefited from it. The reason we
> > > can't use it is that to support password migration our shell back-end does
> > > mad things like:
> > >
> > >    try binding to new server;
> > >    if (failure) {
> > >       try binding to old server;
> > >       if (success)
> > >          update user password in new server for next time;
> > >    }
> > >
> > > Don't look at me, I just inherited it :-)
> > >
> > > This logic (to use the term loosely) makes it impossible to return a
> > > sensible response to a search on userPassword. Instead, I committed a
> > > gross hack and implemented a new method called auth_fastbind. It does away
> > > with the search and extra anonymous bind in auth_bind by making two
> > > assumptions:
> > >
> > >    1. Expanding the ldap_filter expression gives the fully-qualified DN
> > >    2. There is no cost to staying bound as a named user
> > >
> > > These held for our shell back-end, but I don't know how applicable they
> > > are to wider use. Still, if anyone's interested I've attached the patch
> > > (against 2.1.10).
> > >
> >
> > I like this patch.  This can work well for quite a few people.  Rob, can
> > you apply this patch?
> >
> > --
> > Igor
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
> Research Systems Programmer * /usr/contributed Gatekeeper
>
>

-- 
Igor

More information about the Info-cyrus mailing list