Hi
Simple question: Is it possible to use authpam directly as
authentication module in imap and pop3 daemons instead of authdaemon
which calls then authdaemond and after that authpam? After reading
some docs (especially man authlib) it seems to me that this should be
possible.
I would like:
imap/pop -> authpam -> pam.d
instead of:
imap/pop -> authdaemon -> authdaemond -> authpam -> pam.d
But a test with "courierauthtest -m authpam testuser" always fails
with the message that this module is not available. Also adding this
module to "authmodulelist" does not change anything.
We are using courier-0.47 on Debian sarge.
We want to remove authdaemond from our authentication process because
we have strange login failures since the load on our imap and pop
server has increased. Currently we are using authdaemond with authpam
and pam asks a kerberos server. The problem is not the kerberos
server nor the pam itself. It must be somewhere between imap and
authpam.
We testet the procedure by starting simultaneously 200
courierauthtest processes by "courierauthtest -s imap testuser
testpassword" and checking how many auth requets will reach the
pam.d. There are less than 200 lets assume 150) so we are loosing
some requests on the way from courierauthtest application to pam.d.
We also found by debugging that authdaemond.c select call only reacts
these 150 events. So there must be an error in the socket
communication from authdaemon to authdaemond.
By debugging the stacktrace of courierauthtest we found exactly the
missing requets. They all produced:
connect(3, {sa_family=AF_FILE, path="/var/run/courier/authdaemon/
socket"}, 110) = -1 EAGAIN (Resource temporarily unavailable)
write(3, "AUTH 29\nimap\nlogin\ntestuser\testp"..., 38) = -1 ENOTCONN
(Transport endpoint is not connected)
So the application who wants to write into the socket cannot. (locked
by the reading authdaemond?)
Ah.. forgot to say. To increase the number of authdaemond processes
does not solve the login falures. It only helps if we disable
kerberos authentication and use local accounts.
Does anyone have a hint how we can solve this problem of login
failures if the load increases. CPU and memory is a lot available.
You will saving my day!
Thanks in advance...
Norbert
--
_____________________________
University of Berne
IT-Services Departement
Norbert Kottmann
Gesellschaftsstrasse 6
CH-3012 Bern
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Courier-imap mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
