All,
I've been working on combining some of the ideas for a credential caching
layer into saslauthd. This is the first release for review/comments/testing.
Changes:
Three files have been added to the saslauthd package:
cache.c
cache.h
README.cache
saslcache.c
Four files have been modified
Makefile.am
Makefile.in
saslauthd-doors.c
saslauthd-unix.c
The saslauthd executable now accepts three new command line switches.
-c Enables the credential cache
-s Sets the size of the credential cache in kilobytes
-t Sets the timeout of items in the credential cache in seconds
A show_usage() function has been added that dumps all possible options out
when an invalid command line switch is found:
./saslauthd: invalid option -- -
usage: saslauthd [options]
option information:
-a <authmech> Selects the authentication mechanism to use.
-c Enable credential caching.
-d Enables debugging, run in the foreground.
-O <option> Optional argument to pass to the authentication
mechanism.
-m <path> Alternate path for the mux socket, must be absolute.
-n <threads> Number of worker threads to create
-s <kilobytes> Size of the credential cache (in kilobytes)
-t <seconds> Timeout for items in the credential cache (in seconds)
-T Honor time-of-day login restrictions.
-v Display version information and available
authentication mechanisms and exit.
The caching layer caches the username, realm, service, and an md5 hash of the
passwords for all authentication mechanisms (LDAP, rimap, PAM, etc). It's
been tested it on RedHat 7.2 Alpha and RedHat 7.3 Intel. I've also only been
able to compile the modifications using the unix IPC option
(saslauthd-unix.c). The same modifications have been made to the doors IPC
option (saslauthd-doors.c), but have not been compiled or tested. More
detailed information about the cache is in the README.cache file.
In addition to testsaslauthd, a second utility is included, saslcache. The
saslcache utility can be used to attach to the shared memory segment and
perform various tasks. The saslcache utility can be built by:
cd saslauthd
make saslcache
Usage examples:
./saslcache -s dumps out some information about the cache
----------------------------------------
Saslauthd Cache Detail:
timeout (seconds) : 28800
total slots allocated : 3643
slots in use : 3
total buckets : 21858
buckets per slot : 6
buckets in use : 3
hash table size (bytes) : 2098536
bucket size (bytes) : 96
minimum slot allocation : 0
maximum slot allocation : 1
slots at maximum allocation : 3
slots at minimum allocation : 3640
overall hash table load : 0.00
hits* : 19
misses* : 3
total lookup attempts* : 22
hit ratio* : 86.36
----------------------------------------
* May not be completely accurate
----------------------------------------
./saslcache -d dumps the contents of the cache in a csv format
"user","realm","service","created","created_localtime"
"m3","","imap","1042513583","Mon Jan 13 22:06:23 2003"
"m2","","imap","1042513256","Mon Jan 13 22:00:56 2003"
"m1","","imap","1042513355","Mon Jan 13 22:02:35 2003"
./saslcache -f purges/deletes all entries in the cache
21858 entries purged
Todo:
Test the doors IPC stuff.
Test on alternate OSs (only linux so far)
Have someone help with the autoconf stuff. I'm not very familiar with autoconf
and modeled the modifications after those for testsaslauthd. I'm not sure if
they're entirely correct.
For testing one should probably run saslauthd with the -d switch. The cache
will log information to syslog (LOG_INFO|LOG_AUTH). Optionally, one could use
the saslcache utility.
Log Example:
saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: not found, entry
created
saslauthd[27772]: OK: user=m2 service=imap realm=
saslauthd[27772]: cache_lookup: user=m2 realm= service=imap: found with valid
passwd
saslauthd[27772]: OK: user=m2 service=imap realm=
saslauthd[20673]: cache_lookup: user=m2 realm= service=imap: found with
invalid passwd, passwd synced
saslauthd[20673]: cache_purge : prior lookup purged
saslauthd[20673]: AUTHFAIL: user=m2 service=imap realm=
Anyhow, if anyone wants to give it a whirl. Here's a first patch attempt
against cyrus-sasl-2.1.10:
ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.patch
Or, a fully patched tar of cyrus-sasl-2.1.10 at:
ftp://ftp.net.ohio-state.edu/pub/users/jrumpf/cyrus-sasl/cyrus-sasl-2.1.10-cache-1.tar.gz
Feedback welcome...
Cheers,
Jeremy
