Re: [squid-users] pam_auth pam_end()

From: Eugene M. Zheganin <eugene_at_zhegan.in>
Date: Sun, 10 Apr 2011 00:12:01 +0600

On 09.04.2011 19:50, Amos Jeffries wrote:
>> - why such load even exists ? when I kill affected processes squid
>> continues to run without influencing its clients for some time. Then the
>> load appears again.
>
> That is unclear. It could be anything from that being the actual
> request load, to a config design problem causing unnecessary calls to
> the auth helpers, to a problem in PAM dong a lot of extra work for
> nothing.
Well, you told earlier that under heavy load first few helpers receive
the majority of work. Lets assume I have 5 helpers that eat CPU, as it
really happens sometimes. In the next moment I kill them (I do this
rather often). Considering the assumption that CPU load is caused by
actual needs, such as repeating authentication, not some 'stucking' in
the PAM framework or helper code, and in the same time - low probability
of such load to end in the exact same moment when I kill helpers, it has
to continue, and next bunch of helpers should receive this load and
start to eat CPU. In reality that doesn't happen, CPU becomes idle.

>>
>> The basic helper config is:
>>
>> auth_param basic program /usr/local/libexec/squid/pam_auth
>> auth_param basic children 35
>> auth_param basic realm Squid[Kamtelecom]
>> auth_param basic credentialsttl 1 minute
>
> 60 seconds between checks with the PAM helper will raise load. On
> small networks with few clients this is not a problem, but larger ones
> it could be.
>
>> auth_param basic casesensitive off
>>
>> and the pam config for the squid service name is:
>>
>> auth sufficient pam_unix.so no_warn
>> auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
>> auth sufficient pam_krb5.so no_warn try_first_pass
>>
>> auth required pam_deny.so no_warn
>>
>
> I don't believe pam_winbind or pam_krb5 will work with this config
> using Basic auth. They are for NTLM and Negotiate auth respectively.
So, then the pam_unix.so should work. But I don't have 2K AD users on
any of these FreeBSD, I have like 30 local users. Actually I'm not that
sure about pam_winbind.so, but pam_krb5.so definitely can process
plaintext passwords. As kinit does. I suppose pam_winbind.so is also
able to handle plaintext passwords, just by the fact that wbinfo can.

Thanks.
Eugene.
Received on Sat Apr 09 2011 - 18:12:05 MDT

This archive was generated by hypermail 2.2.0 : Sun Apr 10 2011 - 12:00:02 MDT