All (apologies for the cross-posting - I am unsure which piece of
software the "fault" arises from),
In OpenLDAP 2.0.25 (./configure --enable-spasswd --with-tls
--enable-wrappers) (RedHat 7.1, stock system glibc 2.2.4-24) I'm using
accounts of the form:
dn: uid=user,ou=People,dc=domain,dc=com
objectClass: top
objectClass: posixAccount
cn: user
uid: user
uidNumber: 100
gidNumber: 100
gecos: User, Mr. A
loginShell: /bin/sh
homeDirectory: /home/user
userPassword: {SASL}user@DOMAIN.COM
Then, in /usr/lib/sasl/slapd.conf:
pwcheck_method: PAM
Then, in /etc/pam.d/ldap:
#%PAM-1.0
auth required /lib/security/pam_krb5.so no_user_check
session required /lib/security/pam_permit.so
This works - password checks are successfully passed off against our
Kerberos realm.
However, it appears to fail under load, possibly due to threading issues
(a "ps faux" and "gdb /usr/local/libexec/slapd; attach PID; thread apply
all bt" are attached)
Thread 7 (line 219 of attached file) appears to be blocked inside the
SASL library, loading the PAM library. I see three possibilities:
1) SASL isn't thread-safe, and OpenLDAP should be appropriately
protecting this bit of code, and isn't
2) PAM isn't thread-safe, and SASL should be locking
3) The pam_krb5 (or kerberos) libraries aren't thread safe
For now, I'm going to try dropping back to a single-threaded slapd, but
any suggestions would be welcome.
--
Regards,
Phil
+------------------------------------------+
| Phil Mayers |
| Network & Infrastructure Group |
| Information & Communication Technologies |
| Imperial College |
+------------------------------------------+
