headers
Sylvain Baubeau | 5 Nov 2011 02:13

mod_auth_kerb performance

 Hello list,

I have kerberized one of my web applications using mod_auth_kerb but I'm
facing a performance issue : when I make a request without mod_auth_kerb,
I get a response in about 5 milliseconds, but with mod_auth_kerb enabled I
get a response in about 100 milliseconds.
After investigating a bit, I found out most of the time was spend in the
gss_accept_sec_context (right after the debug message 'Verifying client
data using KRB5 GSS-API').
There seems to be no call made to the network during the execution of the
function (in particular, no call to the Kerberos server). Is it a pure CPU
speed problem ? What do you think could make the gss_accept_sec_context
take so long ?

I would really appreciate your help
Regards

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
Permalink | Reply | 1 comment |
headers
Henry B. Hotz | 8 Nov 2011 02:05
Picon
Picon
Favicon

Re: mod_auth_kerb performance

Comparing the performance of an unauthenticated request with an authenticated request seems a bit
unfair.  Have you, for example, compared an http with an https request?  (With/without client certificates?)

Does Apache have its own keytab file?  The cost of hunting through a large list of irrelevant principals is
one thing that could be optimized.  If it's enabled, it might be faster if password authentication were
disabled, though I doubt that would be significant.  Most of the real work is done in the Kerberos libraries.

I don't know how much flexibility you have to modify your build.  If the Kerberos libraries you're using are
linked against openssl crypto libraries that might be faster.  I've heard credible claims that Heimdal is
faster than MIT also, but that might be version-dependent.

On Nov 4, 2011, at 6:13 PM, Sylvain Baubeau wrote:

> Hello list,
> 
> I have kerberized one of my web applications using mod_auth_kerb but I'm
> facing a performance issue : when I make a request without mod_auth_kerb,
> I get a response in about 5 milliseconds, but with mod_auth_kerb enabled I
> get a response in about 100 milliseconds.
> After investigating a bit, I found out most of the time was spend in the
> gss_accept_sec_context (right after the debug message 'Verifying client
> data using KRB5 GSS-API').
> There seems to be no call made to the network during the execution of the
> function (in particular, no call to the Kerberos server). Is it a pure CPU
> speed problem ? What do you think could make the gss_accept_sec_context
> take so long ?
> 
> I would really appreciate your help
> Regards
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mauricio Tavares | 20 Nov 2011 16:54
Picon

How to stop auto logging back in after logging out

	I have a site (ok, two in different machines) in which I want to use 
mode-auth-kerb with. So in each of them I have something like this:

         <Location />
                 AuthType Kerberos
                 KrbAuthRealms DOMAIN.COM
                 KrbServiceName HTTP
                 Krb5Keytab /etc/apache2/krb5.keytab
                 KrbMethodNegotiate on
                 KrbMethodK5Passwd on
                 Require valid-user
         </Location>

Now, that works rather peachy when you have a ticket. Sometimes too 
peachy because you might be trying to login as another user and it will 
not even give you a login window as before; it will just go right in. If 
you do not have a TGT, it will then give me a login screen which works 
fine if you enter a kerberos user (more on that in the next paragraph). 
But, when you log out, it will immediately log back in. Is there a way 
to make it let me log out?

On a not-fully-related point, one of the sites have a user that is not a 
kerberos principal; it is only defined in its own database (If you use 
RT you know exactly what I am talking about). Right now I cannot log in 
as that user. Does anyone have any suggestions?

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this
(Continue reading)

Permalink | Reply | 2 comments |
headers
Mauricio Tavares | 21 Nov 2011 09:44
Picon

KrbLocalUserMapping

      I have been finding references about a KrbLocalUserMapping
directive for mod-aud-kerb. But when I try to use it, I am told that

.. waiting Syntax error on line 23 of /etc/apache2/sites-enabled/000-default:
Invalid command 'KrbLocalUserMapping', perhaps misspelled or defined
by a module not included in the server configuration
   ...fail!

So, does it exist or it is just a figment of my deranged imagination?

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Permalink | Reply | 3 comments |
headers
Jari Ahonen | 21 Nov 2011 10:48

Re: KrbLocalUserMapping

It does exist and it works, I'm using it.

Maybe you have an older version of the module that doesn't support this feature ?

- Jari

-----Original Message-----
From: Mauricio Tavares [mailto:raubvogel <at> gmail.com] 
Sent: Monday, November 21, 2011 9:45 AM
To: modauthkerb-help <at> lists.sourceforge.net
Subject: [modauthkerb] KrbLocalUserMapping

      I have been finding references about a KrbLocalUserMapping directive for mod-aud-kerb. But when I try to
use it, I am told that

.. waiting Syntax error on line 23 of /etc/apache2/sites-enabled/000-default:
Invalid command 'KrbLocalUserMapping', perhaps misspelled or defined by a module not included in the
server configuration
   ...fail!

So, does it exist or it is just a figment of my deranged imagination?

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a definitive record of customers,
application performance, security threats, fraudulent activity, and more. Splunk takes this data and
makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
modauthkerb-help mailing list
modauthkerb-help <at> lists.sourceforge.net
(Continue reading)

Permalink | Reply | 0 comments |
headers
Simon Young | 21 Nov 2011 10:51

Re: KrbLocalUserMapping

On Mon, Nov 21, 2011 at 03:44:38AM -0500, Mauricio Tavares wrote:
>       I have been finding references about a KrbLocalUserMapping
> directive for mod-aud-kerb. But when I try to use it, I am told that
> 
> .. waiting Syntax error on line 23 of /etc/apache2/sites-enabled/000-default:
> Invalid command 'KrbLocalUserMapping', perhaps misspelled or defined
> by a module not included in the server configuration
>    ...fail!
> 
> So, does it exist or it is just a figment of my deranged imagination?

Sounds like the mod_auth_kerb version you're using doesn't offer this
directive (assuming you've definitely loaded the module :)

According to the ChangeLog KrbLocalUserMapping was added in version 5.4:

*implemented KrbLocalUserMapping i.e. to strip  <at> REALM from username for
further use

Simon.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
Permalink | Reply | 1 comment |
headers
Mauricio Tavares | 21 Nov 2011 16:58
Picon

Re: KrbLocalUserMapping

On Mon, Nov 21, 2011 at 4:51 AM, Simon Young <simon <at> excession.net> wrote:
> On Mon, Nov 21, 2011 at 03:44:38AM -0500, Mauricio Tavares wrote:
>>       I have been finding references about a KrbLocalUserMapping
>> directive for mod-aud-kerb. But when I try to use it, I am told that
>>
>> .. waiting Syntax error on line 23 of /etc/apache2/sites-enabled/000-default:
>> Invalid command 'KrbLocalUserMapping', perhaps misspelled or defined
>> by a module not included in the server configuration
>>    ...fail!
>>
>> So, does it exist or it is just a figment of my deranged imagination?
>
> Sounds like the mod_auth_kerb version you're using doesn't offer this
> directive (assuming you've definitely loaded the module :)
>
> According to the ChangeLog KrbLocalUserMapping was added in version 5.4:
>
> *implemented KrbLocalUserMapping i.e. to strip  <at> REALM from username for
> further use
>
> Simon.
>
      Thanks for the info Jarl and Simon! My problem was in fact using
an older version -- whatever is the latest in ubuntu 10.04LTS. I tried
in a newer release and it worked, as Bugs Bunny would say, poifectly.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this
(Continue reading)

Permalink | Reply | 0 comments |

Gmane