On 09.04.2011 19:50, Amos Jeffries wrote:
- why such load even exists ? when I kill affected processes squid
continues to run without influencing its clients for some time. Then the
load appears again.
That is unclear. It could be anything from that being the actual
request load, to a config design problem causing unnecessary calls to
the auth helpers, to a problem in PAM dong a lot of extra work for
nothing.
Well, you told earlier that under heavy load first few helpers receive
the majority of work. Lets assume I have 5 helpers that eat CPU, as it
really happens sometimes. In the next moment I kill them (I do this
rather often). Considering the assumption that CPU load is caused by
actual needs, such as repeating authentication, not some 'stucking' in
the PAM framework or helper code, and in the same time - low probability
of such load to end in the exact same moment when I kill helpers, it has
to continue, and next bunch of helpers should receive this load and
start to eat CPU. In reality that doesn't happen, CPU becomes idle.
The basic helper config is:
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 35
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
60 seconds between checks with the PAM helper will raise load. On
small networks with few clients this is not a problem, but larger ones
it could be.
auth_param basic casesensitive off
and the pam config for the squid service name is:
auth sufficient pam_unix.so no_warn
auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass
auth required pam_deny.so no_warn
I don't believe pam_winbind or pam_krb5 will work with this config
using Basic auth. They are for NTLM and Negotiate auth respectively.
So, then the pam_unix.so should work. But I don't have 2K AD users on
any of these FreeBSD, I have like 30 local users. Actually I'm not that
sure about pam_winbind.so, but pam_krb5.so definitely can process
plaintext passwords. As kinit does. I suppose pam_winbind.so is also
able to handle plaintext passwords, just by the fact that wbinfo can.
Thanks.
Eugene.
