saslauthd performance anxiety
Rob Siemborski
rjs3 at andrew.cmu.edu
Thu Jan 9 13:45:44 EST 2003
Done.
Someone should sanity-check the documentation I put in LDAP_SASLAUTHD.
-Rob
On Thu, 9 Jan 2003, Igor Brezac wrote:
>
> On Fri, 10 Jan 2003 simon.brady at otago.ac.nz wrote:
>
> > On Wed, 1 Jan 2003, Igor Brezac wrote:
> >
> > > On Wed, 1 Jan 2003 simon.brady at otago.ac.nz wrote:
> > > [...]
> > > > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > > > options, either on the command line or in saslauthd.conf, which I should
> > > > be looking at?
> > >
> > > Try using 'ldap_auth_method: custom'. It is up to three times faster
> > > than the 'bind' method.
> >
> > Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
> > us, although we certainly could have benefited from it. The reason we
> > can't use it is that to support password migration our shell back-end does
> > mad things like:
> >
> > try binding to new server;
> > if (failure) {
> > try binding to old server;
> > if (success)
> > update user password in new server for next time;
> > }
> >
> > Don't look at me, I just inherited it :-)
> >
> > This logic (to use the term loosely) makes it impossible to return a
> > sensible response to a search on userPassword. Instead, I committed a
> > gross hack and implemented a new method called auth_fastbind. It does away
> > with the search and extra anonymous bind in auth_bind by making two
> > assumptions:
> >
> > 1. Expanding the ldap_filter expression gives the fully-qualified DN
> > 2. There is no cost to staying bound as a named user
> >
> > These held for our shell back-end, but I don't know how applicable they
> > are to wider use. Still, if anyone's interested I've attached the patch
> > (against 2.1.10).
> >
>
> I like this patch. This can work well for quite a few people. Rob, can
> you apply this patch?
>
> --
> Igor
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus
mailing list