On Tue, Nov 01, 2011 at 12:14:28PM -0400, Mark London wrote: > ktm@xxxxxxxx wrote: > >On Tue, Nov 01, 2011 at 11:57:57AM -0400, Mark London wrote: > >>Hi - On RHEL 6, with the latest updates, I have SASLAUTHD configured > >>to use PAM authentication. I'm also running SSSD. U sing this > >>configuration, the SASLAUTHD processes would gradually increase > >>memory usage. After running for several days, each process was > >>using up about 680M. Are there any known memory leaks when using > >>PAM? I've found posts on the web from people complaining about PAM > >>memory leaks, but am not sure they still exists. In any event, I'm > >>also experiencing that about once a week, SASLAUTHD starts recording > >>time out errors when trying to contact SSSD, i.e. > >>"pam_sss(imap:auth): Request to sssd failed. Timer expired." I > >>decided to enable SASLAUTHD caching with the -c flag, and was > >>surprised to discover that the SASLAUTHD processes no longer use up > >>significant memory (i.e. they are now using < 10M)! Can anyone > >>explain this behavior? Thanks. - Mark > >Each trip through the PAM stack loses some memory. When you turn on > >caching, you make a single trip for each authentication via SASL > >and then it uses the cached copy from then on. This bounds your > >memory use to N x num-users. Without caching, the growth as you > >found is unbounded. > > Thanks for the info! But without caching, does the Mailman related > memory use, eventually get freed up? Do not quote me, but there is a problem with the SASL spec and the needs of the PAM stack that cause the leak and the only way to free the space is to restart saslauthd. > > Also, are there any bad side effects from turning on caching? If > not, why isn't it the default? > > - Mark When you have auth = authz, then it is more work to lock an account because the old cached credentials continue to work until they are removed. Ken
