Ticket #19 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

projects.uabgrid has long delay on login when pam authn with ldap is configured

Reported by: jpr@uab.edu Assigned to: jpr@uab.edu
Priority: normal Milestone:
Component: bookmarks Version:
Keywords: pam-ldap login delay Cc: jpr@uab.edu

Description

It takes about 30 seconds to complete the login process on projects.uabgrid with PAM authentication via ldap configured. This is happening when successful passwords are provided.

A tcpdump trac shows that the ldap connection to the host is established right away but then there is a long delay before authentication bind is performed.

Change History

10/25/07 10:16:08 changed by jpr@uab.edu

  • status changed from new to closed.
  • resolution set to fixed.

This delay seems to be due to the ldap configuration file for authentication. When the /etc/ssl/certs dir is used instead of a ca bundle file, the directory enumeration is extremely slow. I found a post to the debian isp list detailing a similar problem.

The fix is to use the ca bundle file instead using the certificate directory. In our configuration that involves changing /etc/auth_ldap.conf to use tls_cacertfile /etc/ssl/certs/ca-certificates.crt instead. The configuration instructions for project.uabgrid have been updated to reflect this.

It looks like ca-certificates.crt is just a cat /etc/ssl/certs/*.0 > /etc/ssl/certs/ca-certificates.crt, so it's just a little extra overhead to update this file, after a CA is added.