On Fri, 10 Jan 2003 [EMAIL PROTECTED] wrote: > On Wed, 1 Jan 2003, Igor Brezac wrote: > > > On Wed, 1 Jan 2003 [EMAIL PROTECTED] wrote: > > [...] > > > Can anyone offer advice on tuning the saslauthd pool? Are there particular > > > options, either on the command line or in saslauthd.conf, which I should > > > be looking at? > > > > Try using 'ldap_auth_method: custom'. It is up to three times faster > > than the 'bind' method. > > Thanks for the suggestion. Unfortunately 'custom' wasn't an option for > us, although we certainly could have benefited from it. The reason we > can't use it is that to support password migration our shell back-end does > mad things like: > > try binding to new server; > if (failure) { > try binding to old server; > if (success) > update user password in new server for next time; > } > > Don't look at me, I just inherited it :-) > > This logic (to use the term loosely) makes it impossible to return a > sensible response to a search on userPassword. Instead, I committed a > gross hack and implemented a new method called auth_fastbind. It does away > with the search and extra anonymous bind in auth_bind by making two > assumptions: > > 1. Expanding the ldap_filter expression gives the fully-qualified DN > 2. There is no cost to staying bound as a named user > > These held for our shell back-end, but I don't know how applicable they > are to wider use. Still, if anyone's interested I've attached the patch > (against 2.1.10). >
I like this patch. This can work well for quite a few people. Rob, can you apply this patch? -- Igor
diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.c cyrus-sasl-2.1.10/saslauthd/lak.c --- cyrus-sasl-2.1.10.orig/saslauthd/lak.c Fri Dec 6 02:54:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.c Fri Jan 10 00:19:45 2003 @@ -70,6 +70,7 @@ static int lak_search(LAK *, const char *, const char **, LDAPMessage **); static int lak_auth_custom(LAK *, const char *, const char *, const char *); static int lak_auth_bind(LAK *, const char *, const char *, const char *); +static int lak_auth_fastbind(LAK *, const char *, const char *, const char *); static int lak_result_add(LAK *lak, const char *, const char *, LAK_RESULT **); static int lak_check_password(const char *, const char *, void *); static int lak_check_crypt(const char *, const char *, void *); @@ -179,6 +180,8 @@ } else if (!strcasecmp(key, "ldap_auth_method")) { if (!strcasecmp(p, "custom")) { conf->auth_method = LAK_AUTH_METHOD_CUSTOM; + } else if (!strcasecmp(p, "fastbind")) { + conf->auth_method = LAK_AUTH_METHOD_FASTBIND; } } else if (!strcasecmp(key, "ldap_timeout")) { conf->timeout.tv_sec = lak_config_int(p); @@ -917,6 +920,24 @@ } +static int lak_auth_fastbind(LAK *lak, const char *user, const char *realm, const +char *password) +{ + int rc; + char *dn = NULL; + + rc = lak_filter(lak, user, realm, &dn); + if (rc != LAK_OK || dn == NULL) { + syslog(LOG_WARNING|LOG_AUTH, "lak_filter failed."); + return LAK_FAIL; + } + + rc = lak_bind(lak, LAK_BIND_AS_USER, dn, password); + + free(dn); + return rc; +} + + int lak_authenticate(LAK *lak, const char *user, const char *realm, const char *password) { int rc; @@ -932,8 +953,10 @@ if (lak->conf->auth_method == LAK_AUTH_METHOD_BIND) { rc = lak_auth_bind(lak, user, realm, password); - } else { + } else if (lak->conf->auth_method == LAK_AUTH_METHOD_CUSTOM) { rc = lak_auth_custom(lak, user, realm, password); + } else { + rc = lak_auth_fastbind(lak, user, realm, password); } return rc; diff -ru cyrus-sasl-2.1.10.orig/saslauthd/lak.h cyrus-sasl-2.1.10/saslauthd/lak.h --- cyrus-sasl-2.1.10.orig/saslauthd/lak.h Fri Oct 18 10:30:58 2002 +++ cyrus-sasl-2.1.10/saslauthd/lak.h Fri Jan 10 00:19:45 2003 @@ -53,6 +53,7 @@ #define LAK_AUTH_METHOD_BIND 0 #define LAK_AUTH_METHOD_CUSTOM 1 +#define LAK_AUTH_METHOD_FASTBIND 2 typedef struct lak_conf { char *path;