saslauthd with mech "kerberos5" generates a lot of ldap-load

Discussion:

t***@gmx.de

2018-03-27 14:13:12 UTC

Hi,
our cyrus imap server is configured with "sasl_pwcheck_method: saslauthd" and the saslauthd with mech "kerberos5".
Everything else we needed was a krb5.conf and a krb5.keytab, so far the authentication over imap works.

On the mail server is also a sssd configured, so that the server knows all users from an ldap-server (samba4).
Users are not allowed to login on this server. (ssh, local), but I think for postfix the server needs to know all users.

If I turn off the sssd, imap-authentication still works. Means saslauthd doesnt need the local authentication service "sssd".
So far it makes sense to me, saslauthd is configured for kerberos5.

But when I turn on the sssd, imap-authentication still works, but when a user logs in over imap, the sssd resolves all ldap-groups
from this user, and this generates a lot of ldap-load, so that the mail-server becomes very slow.

So it seems, the saslauthd asks the local user-management for group-informations, is this right ?
Is there any connection between the local user-management and saslauthd, although saslauthd is configured with kerberos5 ?

Thanks

Dan White

2018-03-27 15:03:44 UTC

Permalink

Post by t***@gmx.de
our cyrus imap server is configured with "sasl_pwcheck_method: saslauthd" and the saslauthd with mech "kerberos5".
Everything else we needed was a krb5.conf and a krb5.keytab, so far the authentication over imap works.
On the mail server is also a sssd configured, so that the server knows all users from an ldap-server (samba4).
Users are not allowed to login on this server. (ssh, local), but I think for postfix the server needs to know all users.
If I turn off the sssd, imap-authentication still works. Means saslauthd doesnt need the local authentication service "sssd".
So far it makes sense to me, saslauthd is configured for kerberos5.
But when I turn on the sssd, imap-authentication still works, but when a user logs in over imap, the sssd resolves all ldap-groups
from this user, and this generates a lot of ldap-load, so that the mail-server becomes very slow.
So it seems, the saslauthd asks the local user-management for group-informations, is this right ?
Is there any connection between the local user-management and saslauthd, although saslauthd is configured with kerberos5 ?

I presume you have /etc/nsswitch.conf configured to use sssd for user/group
resolution, and that you have 'auth_mech: unix' and 'unix_group_enable: 1'
set in imapd.conf.

If you do not make use of group based ACLs, consider turning off
unix_group_enable. If you do make use of it, use pts/ldap. "Unix" group
resolution can be very inefficient, as you would typically iterate over an
entire group tree to resolve group membership on each authentication.

t***@gmx.de

2018-03-28 07:31:50 UTC

Permalink

Hi,

Post by Dan White
I presume you have /etc/nsswitch.conf configured to use sssd for user/group
resolution, and that you have 'auth_mech: unix' and 'unix_group_enable: 1'
set in imapd.conf.
If you do not make use of group based ACLs, consider turning off
unix_group_enable. If you do make use of it, use pts/ldap. "Unix" group
resolution can be very inefficient, as you would typically iterate over an
entire group tree to resolve group membership on each authentication.

"unix_group_enable: 0" solved my problem, thank you !

What for is the "auth_mech: unix" ? For group management I understand, I can have
a mailbox for a group, then imap needs to know who is member of this group.

But with "unix_group_enable: 0", what for is the auth_mech needed ? When I shut down
the local user management (sssd), everything seems to work.

Thanks

Thomas Harding

2018-03-28 15:01:22 UTC

Permalink

Post by Dan White
Hi,

Post by Dan White
I presume you have /etc/nsswitch.conf configured to use sssd for

user/group

Post by Dan White
resolution, and that you have 'auth_mech: unix' and

'unix_group_enable: 1'

Post by Dan White
set in imapd.conf.
If you do not make use of group based ACLs, consider turning off
unix_group_enable. If you do make use of it, use pts/ldap. "Unix"

group

Post by Dan White
resolution can be very inefficient, as you would typically iterate

over an

Post by Dan White
entire group tree to resolve group membership on each authentication.

"unix_group_enable: 0" solved my problem, thank you !
What for is the "auth_mech: unix" ? For group management I understand, I can have
a mailbox for a group, then imap needs to know who is member of this group.
But with "unix_group_enable: 0", what for is the auth_mech needed ?

That's the user/password database or other external authentication mechanisms (tickets, ...) such as Kerberos.

Normally, that's documented on man pages.

Post by Dan White
When I shut down
the local user management (sssd), everything seems to work.
Thanks

--
Je suis née pour partager, non la haine, mais l'amour.
Sophocle, /Antigone, 442 av. JC