We use here LDAP_group too with NTLM, and, as far as I know about NTLM, there is no way to cache the auth itself and maybe this apply to all the group info too. Anyway, I am thinking to use some kind of RADIUS auth instead of NTLM... -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Tue, Sep 3, 2013 at 10:00 AM, Eugene M. Zheganin <eugene@xxxxxxxxx> wrote: > Hi. > > I moved almost all of my squid to authentication schemes using > ext_kerberos_ldap_group_acl, and, though they do work OK, I'm not > entirely happy with their performance. ext_ldap_group_acl is like speed > of light fast comparing to ext_kerberos_ldap_group_acl. The most lag > (around 0.5 sec) happens, from my observation, between these two lines: > > [...] > support_krb5.cc(267): pid=53166 :2013/09/03 18:52:45| > kerberos_ldap_group: DEBUG: Got principal name > HTTP/proxy1.norma.com@xxxxxxxxx > support_krb5.cc(311): pid=53166 :2013/09/03 18:52:46| > kerberos_ldap_group: DEBUG: Stored credentials > [...] > > Is there any way to speed this up ? I've reread the documentation, but > without result. Is there any cache that could be used ? > I understand that kerberos group helper is way more complicated than the > pure ldap one, but still, having this pause on each group membership > checking is sad. > > Thanks. > Eugene.
