> 2013-01-29 15:04:40,694 DEBUG > [org.springframework.ldap.core.support.AbstractContextSource] - <Got Ldap > context on server 'ldaps://ldapserver'… > > ### Copious java SSL debug output from the handshakes with the DC > (-Djavax.net.debug=ssl) ### > > 2013-01-29 15:04:42,423 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved > principal fakeprincipal>
~2s is an eternity. It's interesting that you noted speed without SSL is substantially improved. That suggests SSL handshaking is the problem, but it's not clear what single component, if there is indeed only one, is the problem. I would tend to say it's the directory, but it's hard to say without further evidence. > 1. Is this sort of performance typical? LDAP authentication performance varies widely with environment, which includes hardware, software, and network components. I would say it's on the slow side in my experience with CAS. I know we negotiate SSL/TLS connections to our directories on the order of ms in our environment. > 2. Is there a method for utilizing the > FastBindLdapAuthenticationHandler in the context of the attributeRepository? No. But there are a number of opportunities for performance improvements in CAS components. For example. there is no reason we could not query for attributes on the bound connection used to authenticate the user and deliver those to the attribute repository instead of performing a wholly separate bind/search the CredentialToPrincipalResolver. Performing exactly one bind/query would dramatically improve overall authentication performance. Another potential source of improvement is pooling connections used for authentication. Spring LDAP components used by cas-server-support-ldap do not support this, but we are working on an LDAP support module for CAS [1] that uses ldaptive [2] under the hood that does support pooling of connections used for authentication. The performance benefits were dramatic: https://github.com/serac/cas-server-integration-ldaptive/wiki/Performance-Comparison The module is mature enough to be evaluated if you're interested. I would be curious whether it helps your situation. M [1] https://github.com/serac/cas-server-integration-ldaptive [2] http://www.ldaptive.org/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
