[389-users] PAM Pass through authentication only one threaded
Rich Megginson
rmeggins at redhat.com
Fri Nov 1 13:22:48 UTC 2013
On 11/01/2013 03:47 AM, Jan Tomasek wrote:
> Hello,
>
> I'm experimenting with PAM through authentication and it looks that
> 389 process parallel requests in serial way.
>
> To demonstrate this behavior I use simple testing script:
>
> for i in `seq 1 10`
> do
> time ldapsearch -LLL -H ldaps://xxx.cesnet.cz -x \
> -b dc=perun-shadow,dc=cesnet,dc=cz \
> -D "uid=semik$i,ou=People,dc=perun-shadow,dc=cesnet,dc=cz" \
> -w 'zadek' -s base dn &
> done
>
> here is part of the output I get:
>
> bind DN [uid=semik6,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
> real 0m2.127s
>
> bind DN [uid=semik10,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
> real 0m4.392s
>
> bind DN [uid=semik1,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
> real 0m6.405s
>
> bind DN [uid=semik5,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
> real 0m8.699s
>
> bind DN [uid=semik2,ou=People,dc=perun-shadow,dc=cesnet,dc=cz]
> real 0m10.926s
>
> ...
>
> All ldapsearch scripts are executed in background = in parallel way.
> But server process them in serial way. I can tell that by increasing
> time needed to process ldapsearches. Increment around 2sec is caused
> by pam_unix delay because of wrong password.
>
> Is 389 bind process really serialized? Or have I just overlooked some
> limit?
PAM is not thread safe, in our experience, so we have to serialize calls
into PAM.
>
> Configuration of PAM plugin:
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: libpam-passthru-plugin
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamExcludeSuffix: cn=config
> pamIDMapMethod: RDN
> pamIDAttr: notUsedWithRDNMethod
> pamFallback: FALSE
> pamSecure: TRUE
> pamService: sshd
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.2.11.15
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
> nsslapd-pluginarg0: pamIncludeSuffix
> nsslapd-pluginarg1: dc=perun-shadow,dc=cesnet,dc=cz
> modifiersName: cn=directory manager
> modifyTimestamp: 20131101085721Z
>
> Thank you for any suggestions!
More information about the 389-users
mailing list