Re: apache BASIC authentication w/large userbase
You might be interested in an article from IBM on "non-stop authentication with Linux clusters" where they use an LDAP server with replication on a second failover server and auto takeover in case of failure. http://www-1.ibm.com/servers/esdd/articles/linux_clust/index.html Cheers, Marcel --On Freitag, 5. April 2002 10:22 +0200 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: > On Thu, Apr 04, 2002 at 01:07:37PM -0500, > Jeff S Wheeler <[EMAIL PROTECTED]> wrote > a message of 47 lines which said: > >> LDAP resources or experience in-house, but honestly would like to move >> to it > > Not to discourage you but do not take that move lightly: LDAP is a > huge and difficult beast. > >> well. There seems to be a real lack of a good, thorough HOWTO >> though. > > Unfortunately, yes. > >> Have I not looked in the right place? > > No, no, it is a really a problem. > >> Is LDAP really the best tool here? Keep in mind hundreds of authen >> requests per second, > > I never benchmarked so many requests but other people seem to be happy > about OpenLDAP speed. You'll probably have to set up a LDAP replica on > the Web server itself. > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- Marcel Hicking VIA NET.WORKS Deutschland GmbH Bismarckstrasse 120, D-47057 Duisburg Geschaeftsfuehrung: Ray D. Samuelson, Matt Nydell Amtsgericht Duisburg, HRB 7672 Phone: +49 203-3093 100, Fax:+49 203-3093 112 e-mail: [EMAIL PROTECTED] http://www.vianetworks.de/ Alle Angebote sind unverbindlich. Es gelten unsere Allgemeinen Geschaeftsbedingungen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Thu, Apr 04, 2002 at 01:07:37PM -0500, Jeff S Wheeler <[EMAIL PROTECTED]> wrote a message of 47 lines which said: > LDAP resources or experience in-house, but honestly would like to move > to it Not to discourage you but do not take that move lightly: LDAP is a huge and difficult beast. > well. There seems to be a real lack of a good, thorough HOWTO > though. Unfortunately, yes. > Have I not looked in the right place? No, no, it is a really a problem. > Is LDAP really the best tool here? Keep in mind hundreds of authen > requests per second, I never benchmarked so many requests but other people seem to be happy about OpenLDAP speed. You'll probably have to set up a LDAP replica on the Web server itself. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Thu, 2002-04-04 at 03:06, Stephane Bortzmeyer wrote: > On Wed, Apr 03, 2002 at 06:35:22PM -0500, > Jeff S Wheeler <[EMAIL PROTECTED]> wrote > a message of 39 lines which said: > > > would not go for that because apparently a disproportionate number of > > their end-users disable cookies in their web browser. Stupid media > > privacy paranoia. > > You are wrong. > Well, we deal with a lot of adult webmasters, including a few large ones. I don't do a lot of CGI-ish stuff, or session tracking for those sites, however our in-house guy who does do that work claims nearly 30% of the visitors to one high-profile site we work on have a browser with cookies disabled. I haven't generated the data myself, so I don't know if I believe the 30% figure, but I believe "disproportionate" is pretty safe given the users. It's probably a stretch for you to state that I am wrong given who their userbase is, however if you have information on similar sites to back up your statement I certainly will be interested. I'll see if we can track that precisely on some of our customer sites. > So you reinvented LDAP :-) LDAP didn't ocurr to me at all, I'm glad you suggested it. We have no LDAP resources or experience in-house, but honestly would like to move to it for a more sane a/a system for our unix, ftp, and mail accounts as well. There seems to be a real lack of a good, thorough HOWTO though. Have I not looked in the right place? Is LDAP really the best tool here? Keep in mind hundreds of authen requests per second, although I don't doubt that large shops with a lot of users probably have that kind of volume in regular unixy stuff. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler <[EMAIL PROTECTED]> wrote a message of 39 lines which said: > would not go for that because apparently a disproportionate number of > their end-users disable cookies in their web browser. Stupid media > privacy paranoia. You are wrong. > short term we replaced mod_auth_mysql with an apache module I whipped up > to send requests out via UDP to a specified host/port, and wait for a > reply (with a 3 second timeout). Then I hacked out a quick Perl program > to handle those requests, hit mysql for actual user/password info, and So you reinvented LDAP :-) apt-get install libapache-auth-ldap A typical ".htaccess": AuthType Basic AuthName LDAP@Netaktiv AuthLDAPURL ldap://ldap.netaktiv.com/ou=People,dc=netaktiv,dc=com?uid?sub?(objectClass=*) require valid-user -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache BASIC authentication w/large userbase
On Wed, Apr 03, 2002 at 06:35:22PM -0500, Jeff S Wheeler wrote: > I have a customer who requires BASIC authentication for their site. > They have a fair amount of traffic as well as a very quickly growing > userbase. They were on mod_auth_mysql before, but with hundreds of > apache children that is not very practical. > > [...] > > The userbase is presently around 100K and growing 5K/day or so. They > were having things go so slowly that users could not login. my rule of thumb is: any site that requires <1000 username:password pairs uses AuthUserFile and plain text .htpasswd files. any larger site uses AuthDBUserFile, with username:password pairs in a hashed db (which is generated from the plain text file). a hashed db is ideally suited to this task, it's a simple key/value (i.e. username/password) fast, indexed lookup. using AuthDBUserFile is a lot faster, and a lot less overhead (memory, file handles, etc) than the mysql or pgsql authentication modules. apache comes with a program called dbmmanage which can be used to manage hashed db files. see the man page for more details. it's pretty slow, though, because it's a general purpose tool. if all you need to do is convert a plain text .htpasswd file into a corresponding .db file then a 5-10 line perl script could do the job many times faster. e.g. something like: #! /usr/bin/perl use DB_File; $filename="passwd.db"; # create the .db in a temporary file and rename it when it's done. # rename is an atomic operation. tie %passwd, 'DB_File', "$filename.tmp", O_RDWR|O_CREAT, 0644, $DB_HASH ; while (<>) { chomp ; ($key,$value) = split /:/; $passwd{$key} = $value; }; # untie the handle, close the file and flush all records to disk. untie %passwd; # move the .db file into place. rename "$filename.tmp", $filename; on a busy P3-450 webserver, this script takes about 14 seconds to convert a .htpasswd file with 35,000 entries into a hashed db file. apache's dbmmanage takes over 90 seconds to do the same job. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
apache BASIC authentication w/large userbase
I have a customer who requires BASIC authentication for their site. They have a fair amount of traffic as well as a very quickly growing userbase. They were on mod_auth_mysql before, but with hundreds of apache children that is not very practical. I suggested a change to a signed-session-cookie type system, but they would not go for that because apparently a disproportionate number of their end-users disable cookies in their web browser. Stupid media privacy paranoia. The userbase is presently around 100K and growing 5K/day or so. They were having things go so slowly that users could not login. In the short term we replaced mod_auth_mysql with an apache module I whipped up to send requests out via UDP to a specified host/port, and wait for a reply (with a 3 second timeout). Then I hacked out a quick Perl program to handle those requests, hit mysql for actual user/password info, and to cache the user information in ram for the duration of the daemon's lifetime. Obviously this won't work forever without a serious change to my caching strategy, but before I put more work into this mechanism, what do other folks on the list do for high-traffic, large-userbase BASIC authen? I know it's a poor limitation but *shrug* the customer knows their needs. I figured DBM would be sluggish, and the customer already tried text files, but moved to mod_auth_mysql when that ran out of steam. Your Input Is Appreciated. -- Jeff S Wheeler [EMAIL PROTECTED] Software DevelopmentFive Elements, Inc http://www.five-elements.com/~jsw/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]