saslauthd performance anxiety
Igor Brezac
igor at ipass.net
Thu Jan 9 13:12:47 EST 2003
On Fri, 10 Jan 2003 simon.brady at otago.ac.nz wrote:
> On Wed, 1 Jan 2003, Igor Brezac wrote:
>
> > On Wed, 1 Jan 2003 simon.brady at otago.ac.nz wrote:
> > [...]
> > > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > > options, either on the command line or in saslauthd.conf, which I should
> > > be looking at?
> >
> > Try using 'ldap_auth_method: custom'. It is up to three times faster
> > than the 'bind' method.
>
> Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
> us, although we certainly could have benefited from it. The reason we
> can't use it is that to support password migration our shell back-end does
> mad things like:
>
> try binding to new server;
> if (failure) {
> try binding to old server;
> if (success)
> update user password in new server for next time;
> }
>
> Don't look at me, I just inherited it :-)
>
> This logic (to use the term loosely) makes it impossible to return a
> sensible response to a search on userPassword. Instead, I committed a
> gross hack and implemented a new method called auth_fastbind. It does away
> with the search and extra anonymous bind in auth_bind by making two
> assumptions:
>
> 1. Expanding the ldap_filter expression gives the fully-qualified DN
> 2. There is no cost to staying bound as a named user
>
> These held for our shell back-end, but I don't know how applicable they
> are to wider use. Still, if anyone's interested I've attached the patch
> (against 2.1.10).
>
I like this patch. This can work well for quite a few people. Rob, can
you apply this patch?
--
Igor
-------------- next part --------------
diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.c cyrus-sasl-2.1.10/saslauthd/lak.c
--- cyrus-sasl-2.1.10.orig/saslauthd/lak.c Fri Dec 6 02:54:58 2002
+++ cyrus-sasl-2.1.10/saslauthd/lak.c Fri Jan 10 00:19:45 2003
@@ -70,6 +70,7 @@
static int lak_search(LAK *, const char *, const char **, LDAPMessage **);
static int lak_auth_custom(LAK *, const char *, const char *, const char *);
static int lak_auth_bind(LAK *, const char *, const char *, const char *);
+static int lak_auth_fastbind(LAK *, const char *, const char *, const char *);
static int lak_result_add(LAK *lak, const char *, const char *, LAK_RESULT **);
static int lak_check_password(const char *, const char *, void *);
static int lak_check_crypt(const char *, const char *, void *);
@@ -179,6 +180,8 @@
} else if (!strcasecmp(key, "ldap_auth_method")) {
if (!strcasecmp(p, "custom")) {
conf->auth_method = LAK_AUTH_METHOD_CUSTOM;
+ } else if (!strcasecmp(p, "fastbind")) {
+ conf->auth_method = LAK_AUTH_METHOD_FASTBIND;
}
} else if (!strcasecmp(key, "ldap_timeout")) {
conf->timeout.tv_sec = lak_config_int(p);
@@ -917,6 +920,24 @@
}
+static int lak_auth_fastbind(LAK *lak, const char *user, const char *realm, const char *password)
+{
+ int rc;
+ char *dn = NULL;
+
+ rc = lak_filter(lak, user, realm, &dn);
+ if (rc != LAK_OK || dn == NULL) {
+ syslog(LOG_WARNING|LOG_AUTH, "lak_filter failed.");
+ return LAK_FAIL;
+ }
+
+ rc = lak_bind(lak, LAK_BIND_AS_USER, dn, password);
+
+ free(dn);
+ return rc;
+}
+
+
int lak_authenticate(LAK *lak, const char *user, const char *realm, const char *password)
{
int rc;
@@ -932,8 +953,10 @@
if (lak->conf->auth_method == LAK_AUTH_METHOD_BIND) {
rc = lak_auth_bind(lak, user, realm, password);
- } else {
+ } else if (lak->conf->auth_method == LAK_AUTH_METHOD_CUSTOM) {
rc = lak_auth_custom(lak, user, realm, password);
+ } else {
+ rc = lak_auth_fastbind(lak, user, realm, password);
}
return rc;
diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.h cyrus-sasl-2.1.10/saslauthd/lak.h
--- cyrus-sasl-2.1.10.orig/saslauthd/lak.h Fri Oct 18 10:30:58 2002
+++ cyrus-sasl-2.1.10/saslauthd/lak.h Fri Jan 10 00:19:45 2003
@@ -53,6 +53,7 @@
#define LAK_AUTH_METHOD_BIND 0
#define LAK_AUTH_METHOD_CUSTOM 1
+#define LAK_AUTH_METHOD_FASTBIND 2
typedef struct lak_conf {
char *path;
More information about the Info-cyrus
mailing list