[squid-users] ext_kerberos_ldap_group_acl vs ext_ldap_group_acl

From: Eugene M. Zheganin <eugene_at_zhegan.in>
Date: Tue, 03 Sep 2013 19:00:55 +0600

Hi.

I moved almost all of my squid to authentication schemes using
ext_kerberos_ldap_group_acl, and, though they do work OK, I'm not
entirely happy with their performance. ext_ldap_group_acl is like speed
of light fast comparing to ext_kerberos_ldap_group_acl. The most lag
(around 0.5 sec) happens, from my observation, between these two lines:

[...]
support_krb5.cc(267): pid=53166 :2013/09/03 18:52:45|
kerberos_ldap_group: DEBUG: Got principal name
HTTP/proxy1.norma.com_at_NORMA.COM
support_krb5.cc(311): pid=53166 :2013/09/03 18:52:46|
kerberos_ldap_group: DEBUG: Stored credentials
[...]

Is there any way to speed this up ? I've reread the documentation, but
without result. Is there any cache that could be used ?
I understand that kerberos group helper is way more complicated than the
pure ldap one, but still, having this pause on each group membership
checking is sad.

Thanks.
Eugene.
Received on Tue Sep 03 2013 - 13:01:07 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 04 2013 - 12:00:05 MDT