We are having similar problems with a Debian Etch server on OpenVZ
(protecting AWstats).  I tried changing the CASCookieEntropy to 32, 16, and
8 (reloading apache each time), but it doesn't seem to have made a
difference. I can still watch the entropy tick up until it passes 64, then
goes back down to zero and slowly accumulates again.

I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not
seem to be respecting the directive.

Here is my auth_cas.conf:

 CASLoginURL https://login.uconn.edu/cas/login
 CASValidateURL https://login.uconn.edu/cas/serviceValidate
 CASCertificatePath /etc/ssl/certs/uconnCA.pem
 CASTimeout 7200
 CASIdleTimeout 3600
 CASCookiePath /tmp/cas/
 CASCookieEntropy 32

server-info shows the correct CASCookieEntropy value, so apache seems to
know about it.  It seems like I must be missing something obvious, but I
can't figure out what.  My next step is going to be tweaking the debugging
code, so that I can get mod_auth_cas to tell me what it thinks
CASCookieEntropy is at a couple of different spots.

I appreciate your time.

Thank you,
-James



Matt is spot on here.  These were my thoughts:

* Have you changed the CASCookieEntropy value?

* What is your /proc/sys/kernel/random/entropy_avail value (especially
when seeing this slowdown?  Try 'watch -n 0 cat
/proc/sys/kernel/random/entropy_avail')

* Is this being done in an isolated VM?  If so, can you try it on a more
active VM or 'real' machine that has entropy sources?

-Phil

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Smith, Matt
Sent: Tuesday, December 18, 2007 1:17 PM
To: Yale CAS mailing list
Subject: Re: mod_auth_cas 'pause'.

Robert-
  Three thoughts:

1) Are you running under virtualization (VMWare, Xen, etc)?  We've seen
a couple small problems with entropy generation in that scenario.  You
can try reducing CASCookieEntropy to something smaller than 32, say, 16.

2) Make sure the directory specified by CASCookiePath exists, has proper
permissions, and has space.

3) Is CASCertificatePath pointing to a directory (the default is
/etc/ssl/certs/)?  If so, try pointing directly to the single cert
representing your CAS server's signing CA.  Sometimes the directory
lookup takes some time.

Please let us know if any of this seems to help.

HTH,
-Matt
-- 
View this message in context: 
http://www.nabble.com/mod_auth_cas-%27pause%27.-tp14402025p15306646.html
Sent from the CAS Users mailing list archive at Nabble.com.

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to