Search squid archive

Re: pam_auth pam_end()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09.04.2011 19:50, Amos Jeffries wrote:

- why such load even exists ? when I kill affected processes squid
continues to run without influencing its clients for some time. Then the
load appears again.
That is unclear. It could be anything from that being the actual request load, to a config design problem causing unnecessary calls to the auth helpers, to a problem in PAM dong a lot of extra work for nothing.
Well, you told earlier that under heavy load first few helpers receive the majority of work. Lets assume I have 5 helpers that eat CPU, as it really happens sometimes. In the next moment I kill them (I do this rather often). Considering the assumption that CPU load is caused by actual needs, such as repeating authentication, not some 'stucking' in the PAM framework or helper code, and in the same time - low probability of such load to end in the exact same moment when I kill helpers, it has to continue, and next bunch of helpers should receive this load and start to eat CPU. In reality that doesn't happen, CPU becomes idle. 



The basic helper config is:

auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 35
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
60 seconds between checks with the PAM helper will raise load. On small networks with few clients this is not a problem, but larger ones it could be. 


auth_param basic casesensitive off

and the pam config for the squid service name is:

auth sufficient pam_unix.so no_warn
auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
auth sufficient pam_krb5.so no_warn try_first_pass

auth required pam_deny.so no_warn
I don't believe pam_winbind or pam_krb5 will work with this config using Basic auth. They are for NTLM and Negotiate auth respectively.
So, then the pam_unix.so should work. But I don't have 2K AD users on any of these FreeBSD, I have like 30 local users. Actually I'm not that sure about pam_winbind.so, but pam_krb5.so definitely can process plaintext passwords. As kinit does. I suppose pam_winbind.so is also able to handle plaintext passwords, just by the fact that wbinfo can. 

Thanks.
Eugene.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux