Package: libnss-ldap
Version: 238-1.1
libnss-ldap hits a severe performance penalty when the cacertdir
parameter points to a directory with a large number of certificate
files. The slow down is a factor 80 after installing package
ca-certificates! It is primarily related to the number of files. If
using only one single file containg all certificates there is no
noticable slowdown.
How to reproduce:
* Install and configure slapd, libnss-ldap.conf, nsswitch.conf
to use TLS. Check that all is working.
* Change libnss-ldap.conf:
tls_cacertdir /etc/ssl/certs
ssl start_tls
* getent passwd
Should be reasonable quick
* aptitude install ca-certificates
* getent passwd
Will be about 80 times slower now! And we are now taking about 20
seconds.
If the nscd is running then the penalty will only be noticed once after
each nscd restart or each time an enumeration is done like "getent passwd".
A workaround to avoid risking this performance penalty is to create a
separate directory and place only the few
certificates needed there, possibly also in just one single file:
tls_cacertdir /etc/ssl/libnssldap-certs
But specifying just a cacertfile may not enough since the cacertdir
parameter may be set in ldap.conf,
as described next.
libnns-ldap does not only use its own config file libnss-ldap.conf but
ldap.conf. So when I removed the parameter tls_cacertdir from
libnss-ldap.conf it still was set from ldap.conf which took me some time to
understand why this didnt solve my performance problems.
But yet another caveat regarding the cofiguration is that if neither of
ssl start_tls
ssl on
is specified in the config then the the tls_cacertdir setting will not
have any effect at all and instead get its value
from ldap.conf!!! This means that this configuration:
uri http://127.0.0.1 https://some-host/
will hit severe perormance penalty for the https host. Do not know if
anyone uses such a configuration, but it is obviosuly possible!
Experiments shows that the performance degradation has to do with the number
of files in the directory. Not the number of certs. Using only one file
with all certs does
not slow down nearly as much.
A fix for this problem would be to have libnss/pam-ldap to:
* Not read in any certificates at startup
* Only read a cert based on its <hash>.0 when needed, just as
ldapsearch et.al does.
* Not use the ldap.conf parameters
/Petter
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
