Re: apache BASIC authentication w/large userbase
On Thu, Apr 04, 2002 at 01:07:37PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 47 lines which said: LDAP resources or experience in-house, but honestly would like to move to it Not to discourage you but do not take that move lightly: LDAP is a huge and difficult beast. well. There seems to be a real lack of a good, thorough HOWTO though. Unfortunately, yes. Have I not looked in the right place? No, no, it is a really a problem. Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, I never benchmarked so many requests but other people seem to be happy about OpenLDAP speed. You'll probably have to set up a LDAP replica on the Web server itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
You might be interested in an article from IBM on non-stop authentication with Linux clusters where they use an LDAP server with replication on a second failover server and auto takeover in case of failure. http://www-1.ibm.com/servers/esdd/articles/linux_clust/index.html Cheers, Marcel --On Freitag, 5. April 2002 10:22 +0200 Stephane Bortzmeyer [EMAIL PROTECTED] wrote: On Thu, Apr 04, 2002 at 01:07:37PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 47 lines which said: LDAP resources or experience in-house, but honestly would like to move to it Not to discourage you but do not take that move lightly: LDAP is a huge and difficult beast. well. There seems to be a real lack of a good, thorough HOWTO though. Unfortunately, yes. Have I not looked in the right place? No, no, it is a really a problem. Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, I never benchmarked so many requests but other people seem to be happy about OpenLDAP speed. You'll probably have to set up a LDAP replica on the Web server itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Marcel Hicking VIA NET.WORKS Deutschland GmbH Bismarckstrasse 120, D-47057 Duisburg Geschaeftsfuehrung: Ray D. Samuelson, Matt Nydell Amtsgericht Duisburg, HRB 7672 Phone: +49 203-3093 100, Fax:+49 203-3093 112 e-mail: [EMAIL PROTECTED] http://www.vianetworks.de/ Alle Angebote sind unverbindlich. Es gelten unsere Allgemeinen Geschaeftsbedingungen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Thu, 2002-04-04 at 03:06, Stephane Bortzmeyer wrote: On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 39 lines which said: would not go for that because apparently a disproportionate number of their end-users disable cookies in their web browser. Stupid media privacy paranoia. You are wrong. Well, we deal with a lot of adult webmasters, including a few large ones. I don't do a lot of CGI-ish stuff, or session tracking for those sites, however our in-house guy who does do that work claims nearly 30% of the visitors to one high-profile site we work on have a browser with cookies disabled. I haven't generated the data myself, so I don't know if I believe the 30% figure, but I believe disproportionate is pretty safe given the users. It's probably a stretch for you to state that I am wrong given who their userbase is, however if you have information on similar sites to back up your statement I certainly will be interested. I'll see if we can track that precisely on some of our customer sites. So you reinvented LDAP :-) LDAP didn't ocurr to me at all, I'm glad you suggested it. We have no LDAP resources or experience in-house, but honestly would like to move to it for a more sane a/a system for our unix, ftp, and mail accounts as well. There seems to be a real lack of a good, thorough HOWTO though. Have I not looked in the right place? Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, although I don't doubt that large shops with a lot of users probably have that kind of volume in regular unixy stuff. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler wrote: I have a customer who requires BASIC authentication for their site. They have a fair amount of traffic as well as a very quickly growing userbase. They were on mod_auth_mysql before, but with hundreds of apache children that is not very practical. [...] The userbase is presently around 100K and growing 5K/day or so. They were having things go so slowly that users could not login. my rule of thumb is: any site that requires 1000 username:password pairs uses AuthUserFile and plain text .htpasswd files. any larger site uses AuthDBUserFile, with username:password pairs in a hashed db (which is generated from the plain text file). a hashed db is ideally suited to this task, it's a simple key/value (i.e. username/password) fast, indexed lookup. using AuthDBUserFile is a lot faster, and a lot less overhead (memory, file handles, etc) than the mysql or pgsql authentication modules. apache comes with a program called dbmmanage which can be used to manage hashed db files. see the man page for more details. it's pretty slow, though, because it's a general purpose tool. if all you need to do is convert a plain text .htpasswd file into a corresponding .db file then a 5-10 line perl script could do the job many times faster. e.g. something like: #! /usr/bin/perl use DB_File; $filename=passwd.db; # create the .db in a temporary file and rename it when it's done. # rename is an atomic operation. tie %passwd, 'DB_File', $filename.tmp, O_RDWR|O_CREAT, 0644, $DB_HASH ; while () { chomp ; ($key,$value) = split /:/; $passwd{$key} = $value; }; # untie the handle, close the file and flush all records to disk. untie %passwd; # move the .db file into place. rename $filename.tmp, $filename; on a busy P3-450 webserver, this script takes about 14 seconds to convert a .htpasswd file with 35,000 entries into a hashed db file. apache's dbmmanage takes over 90 seconds to do the same job. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler [EMAIL PROTECTED] wrote a message of 39 lines which said: would not go for that because apparently a disproportionate number of their end-users disable cookies in their web browser. Stupid media privacy paranoia. You are wrong. short term we replaced mod_auth_mysql with an apache module I whipped up to send requests out via UDP to a specified host/port, and wait for a reply (with a 3 second timeout). Then I hacked out a quick Perl program to handle those requests, hit mysql for actual user/password info, and So you reinvented LDAP :-) apt-get install libapache-auth-ldap A typical .htaccess: AuthType Basic AuthName LDAP@Netaktiv AuthLDAPURL ldap://ldap.netaktiv.com/ou=People,dc=netaktiv,dc=com?uid?sub?(objectClass=*) require valid-user -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]