From: Igor Brezac (no email)
Date: Thu Jan 09 2003 - 13:12:47 EST
On Fri, 10 Jan 2003 wrote:
> On Wed, 1 Jan 2003, Igor Brezac wrote:
>
> > On Wed, 1 Jan 2003 wrote:
> > [...]
> > > Can anyone offer advice on tuning the saslauthd pool? Are there particular
> > > options, either on the command line or in saslauthd.conf, which I should
> > > be looking at?
> >
> > Try using 'ldap_auth_method: custom'. It is up to three times faster
> > than the 'bind' method.
>
> Thanks for the suggestion. Unfortunately 'custom' wasn't an option for
> us, although we certainly could have benefited from it. The reason we
> can't use it is that to support password migration our shell back-end does
> mad things like:
>
> try binding to new server;
> if (failure) {
> try binding to old server;
> if (success)
> update user password in new server for next time;
> }
>
> Don't look at me, I just inherited it :-)
>
> This logic (to use the term loosely) makes it impossible to return a
> sensible response to a search on userPassword. Instead, I committed a
> gross hack and implemented a new method called auth_fastbind. It does away
> with the search and extra anonymous bind in auth_bind by making two
> assumptions:
>
> 1. Expanding the ldap_filter expression gives the fully-qualified DN
> 2. There is no cost to staying bound as a named user
>
> These held for our shell back-end, but I don't know how applicable they
> are to wider use. Still, if anyone's interested I've attached the patch
> (against 2.1.10).
>
I like this patch. This can work well for quite a few people. Rob, can
you apply this patch?
-- Igor
|
|
|