Re: apache BASIC authentication w/large userbase
On Thu, Apr 04, 2002 at 01:07:37PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 47 lines which said: LDAP resources or experience in-house, but honestly would like to move to it Not to discourage you but do not take that move lightly: LDAP is a huge and difficult beast. well. There seems to be a real lack of a good, thorough HOWTO though. Unfortunately, yes. Have I not looked in the right place? No, no, it is a really a problem. Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, I never benchmarked so many requests but other people seem to be happy about OpenLDAP speed. You'll probably have to set up a LDAP replica on the Web server itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
You might be interested in an article from IBM on non-stop authentication with Linux clusters where they use an LDAP server with replication on a second failover server and auto takeover in case of failure. http://www-1.ibm.com/servers/esdd/articles/linux_clust/index.html Cheers, Marcel --On Freitag, 5. April 2002 10:22 +0200 Stephane Bortzmeyer [EMAIL PROTECTED] wrote: On Thu, Apr 04, 2002 at 01:07:37PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 47 lines which said: LDAP resources or experience in-house, but honestly would like to move to it Not to discourage you but do not take that move lightly: LDAP is a huge and difficult beast. well. There seems to be a real lack of a good, thorough HOWTO though. Unfortunately, yes. Have I not looked in the right place? No, no, it is a really a problem. Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, I never benchmarked so many requests but other people seem to be happy about OpenLDAP speed. You'll probably have to set up a LDAP replica on the Web server itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Marcel Hicking VIA NET.WORKS Deutschland GmbH Bismarckstrasse 120, D-47057 Duisburg Geschaeftsfuehrung: Ray D. Samuelson, Matt Nydell Amtsgericht Duisburg, HRB 7672 Phone: +49 203-3093 100, Fax:+49 203-3093 112 e-mail: [EMAIL PROTECTED] http://www.vianetworks.de/ Alle Angebote sind unverbindlich. Es gelten unsere Allgemeinen Geschaeftsbedingungen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Thu, 2002-04-04 at 03:06, Stephane Bortzmeyer wrote: On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 39 lines which said: would not go for that because apparently a disproportionate number of their end-users disable cookies in their web browser. Stupid media privacy paranoia. You are wrong. Well, we deal with a lot of adult webmasters, including a few large ones. I don't do a lot of CGI-ish stuff, or session tracking for those sites, however our in-house guy who does do that work claims nearly 30% of the visitors to one high-profile site we work on have a browser with cookies disabled. I haven't generated the data myself, so I don't know if I believe the 30% figure, but I believe disproportionate is pretty safe given the users. It's probably a stretch for you to state that I am wrong given who their userbase is, however if you have information on similar sites to back up your statement I certainly will be interested. I'll see if we can track that precisely on some of our customer sites. So you reinvented LDAP :-) LDAP didn't ocurr to me at all, I'm glad you suggested it. We have no LDAP resources or experience in-house, but honestly would like to move to it for a more sane a/a system for our unix, ftp, and mail accounts as well. There seems to be a real lack of a good, thorough HOWTO though. Have I not looked in the right place? Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, although I don't doubt that large shops with a lot of users probably have that kind of volume in regular unixy stuff. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler wrote:
I have a customer who requires BASIC authentication for their site.
They have a fair amount of traffic as well as a very quickly growing
userbase. They were on mod_auth_mysql before, but with hundreds of
apache children that is not very practical.
[...]
The userbase is presently around 100K and growing 5K/day or so. They
were having things go so slowly that users could not login.
my rule of thumb is:
any site that requires 1000 username:password pairs uses AuthUserFile
and plain text .htpasswd files. any larger site uses AuthDBUserFile,
with username:password pairs in a hashed db (which is generated from the
plain text file). a hashed db is ideally suited to this task, it's a
simple key/value (i.e. username/password) fast, indexed lookup.
using AuthDBUserFile is a lot faster, and a lot less overhead (memory,
file handles, etc) than the mysql or pgsql authentication modules.
apache comes with a program called dbmmanage which can be used to manage
hashed db files. see the man page for more details. it's pretty slow,
though, because it's a general purpose tool. if all you need to do is
convert a plain text .htpasswd file into a corresponding .db file then a
5-10 line perl script could do the job many times faster.
e.g. something like:
#! /usr/bin/perl
use DB_File;
$filename=passwd.db;
# create the .db in a temporary file and rename it when it's done.
# rename is an atomic operation.
tie %passwd, 'DB_File', $filename.tmp, O_RDWR|O_CREAT, 0644, $DB_HASH ;
while () {
chomp ;
($key,$value) = split /:/;
$passwd{$key} = $value;
};
# untie the handle, close the file and flush all records to disk.
untie %passwd;
# move the .db file into place.
rename $filename.tmp, $filename;
on a busy P3-450 webserver, this script takes about 14 seconds to
convert a .htpasswd file with 35,000 entries into a hashed db file.
apache's dbmmanage takes over 90 seconds to do the same job.
craig
--
craig sanders [EMAIL PROTECTED]
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 39 lines which said: would not go for that because apparently a disproportionate number of their end-users disable cookies in their web browser. Stupid media privacy paranoia. You are wrong. short term we replaced mod_auth_mysql with an apache module I whipped up to send requests out via UDP to a specified host/port, and wait for a reply (with a 3 second timeout). Then I hacked out a quick Perl program to handle those requests, hit mysql for actual user/password info, and So you reinvented LDAP :-) apt-get install libapache-auth-ldap A typical .htaccess: AuthType Basic AuthName LDAP@Netaktiv AuthLDAPURL ldap://ldap.netaktiv.com/ou=People,dc=netaktiv,dc=com?uid?sub?(objectClass=*) require valid-user -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
