Hello,We'd got roughly the same configuration : Apache 2.2 + mod_jk => Java 1.6, Tomcat 6, CAS 3.4.8 => AD 2003, users are not binded with FastBind.
You notice 2-3s delay in login process, it's really slow. Can you use Jmeter to make real measures under stress ?
Two years ago, I've used Jmeter to stress the complete chain and it showed that complete authentication took ~ 1200 ms with LDAP and 1900 ms with LDAPS, if CAS is *not* configured to take care of connection pooling. Each new SSL connection to AD takes a 200ms toll ! In our case we've 3 connections :
- Search the user (poolable) - Bind the user (not poolable) - Retrieve attributes (poolable) And the cherry was : 0,1% of the authentication fails because of AD timeout.Since CAS 3.4.9, there's two context sources : one for auth (non pooled), and one for other searches (pooled). With this configuration and AD 2008R2 + Tomcat 7, complete authentication takes ~ 1450 ms with no more fails
Rgds. Le 29/01/2013 23:38, Mosior, Benjamin a écrit :
Hello all,I've been noticing a 2000-3000ms delay in the login process due to multiple LDAPS connections being made for any single authentication attempt. Non-SSL LDAP logins are nearly instantaneous. Switching to the FastBindLdapAuthenticationHandler helped some, but the delay is still near 1800ms. Watching the logs with the java SSL debug option set, I'm timing the login based on the following:2013-01-29 15:04:40,694 DEBUG [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap context on server 'ldaps://ldapserver'...### Copious java SSL debug output from the handshakes with the DC (-Djavax.net.debug=ssl) ###2013-01-29 15:04:42,423 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal fakeprincipal>1.Is this sort of performance typical? As I mentioned previously, using the unsecured LDAP protocol makes the login process quite fast by comparison.2.Is there a method for utilizing the FastBindLdapAuthenticationHandler in the context of the attributeRepository? I'm imagining that the users credentials could be used to bind, then search for the principal and any other attributes, populating the attributeRepository with a single LDAPS connection. I couldn't find anything in the docs; am I being naïve?3.Is there some other plan of attack I should be taking for investigating this issue? I've been reading documentation/mailing lists and doing quite a bit of Google-ing.Environment:RHEL5, apache-tomcat-7.0.27, CAS 3.5.1, Active Directory (LDAPS on port 636).I would greatly appreciate any response you might have. Thank you, Benjamin Mosior -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: Signature cryptographique S/MIME
