On Wed, 1 Jan 2003, Igor Brezac wrote:
> On Wed, 1 Jan 2003 [EMAIL PROTECTED] wrote:
> [...]
> > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > options, either on the command line or in saslauthd.conf, which I should
> > be looking at?
>
> Try using 'ldap_auth_method: custom'. It is up to three times faster
> than the 'bind' method.
Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
us, although we certainly could have benefited from it. The reason we
can't use it is that to support password migration our shell back-end does
mad things like:
try binding to new server;
if (failure) {
try binding to old server;
if (success)
update user password in new server for next time;
}
Don't look at me, I just inherited it :-)
This logic (to use the term loosely) makes it impossible to return a
sensible response to a search on userPassword. Instead, I committed a
gross hack and implemented a new method called auth_fastbind. It does away
with the search and extra anonymous bind in auth_bind by making two
assumptions:
1. Expanding the ldap_filter expression gives the fully-qualified DN
2. There is no cost to staying bound as a named user
These held for our shell back-end, but I don't know how applicable they
are to wider use. Still, if anyone's interested I've attached the patch
(against 2.1.10).
Simon Brady mailto:[EMAIL PROTECTED]
Systems Specialist Ph. +64 3 479-5217
ITS Technical Services Fax +64 3 479-5080
University of Otago, Dunedin, New Zealand Mobile +64 27 411-6045
diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.c cyrus-sasl-2.1.10/saslauthd/lak.c
--- cyrus-sasl-2.1.10.orig/saslauthd/lak.c Fri Dec 6 02:54:58 2002
+++ cyrus-sasl-2.1.10/saslauthd/lak.c Fri Jan 10 00:19:45 2003
@@ -70,6 +70,7 @@
static int lak_search(LAK *, const char *, const char **, LDAPMessage **);
static int lak_auth_custom(LAK *, const char *, const char *, const char *);
static int lak_auth_bind(LAK *, const char *, const char *, const char *);
+static int lak_auth_fastbind(LAK *, const char *, const char *, const char *);
static int lak_result_add(LAK *lak, const char *, const char *, LAK_RESULT **);
static int lak_check_password(const char *, const char *, void *);
static int lak_check_crypt(const char *, const char *, void *);
@@ -179,6 +180,8 @@
} else if (!strcasecmp(key, "ldap_auth_method")) {
if (!strcasecmp(p, "custom")) {
conf->auth_method = LAK_AUTH_METHOD_CUSTOM;
+ } else if (!strcasecmp(p, "fastbind")) {
+ conf->auth_method = LAK_AUTH_METHOD_FASTBIND;
}
} else if (!strcasecmp(key, "ldap_timeout")) {
conf->timeout.tv_sec = lak_config_int(p);
@@ -917,6 +920,24 @@
}
+static int lak_auth_fastbind(LAK *lak, const char *user, const char *realm, const
+char *password)
+{
+ int rc;
+ char *dn = NULL;
+
+ rc = lak_filter(lak, user, realm, &dn);
+ if (rc != LAK_OK || dn == NULL) {
+ syslog(LOG_WARNING|LOG_AUTH, "lak_filter failed.");
+ return LAK_FAIL;
+ }
+
+ rc = lak_bind(lak, LAK_BIND_AS_USER, dn, password);
+
+ free(dn);
+ return rc;
+}
+
+
int lak_authenticate(LAK *lak, const char *user, const char *realm, const char
*password)
{
int rc;
@@ -932,8 +953,10 @@
if (lak->conf->auth_method == LAK_AUTH_METHOD_BIND) {
rc = lak_auth_bind(lak, user, realm, password);
- } else {
+ } else if (lak->conf->auth_method == LAK_AUTH_METHOD_CUSTOM) {
rc = lak_auth_custom(lak, user, realm, password);
+ } else {
+ rc = lak_auth_fastbind(lak, user, realm, password);
}
return rc;
diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.h cyrus-sasl-2.1.10/saslauthd/lak.h
--- cyrus-sasl-2.1.10.orig/saslauthd/lak.h Fri Oct 18 10:30:58 2002
+++ cyrus-sasl-2.1.10/saslauthd/lak.h Fri Jan 10 00:19:45 2003
@@ -53,6 +53,7 @@
#define LAK_AUTH_METHOD_BIND 0
#define LAK_AUTH_METHOD_CUSTOM 1
+#define LAK_AUTH_METHOD_FASTBIND 2
typedef struct lak_conf {
char *path;
