Paul Blackburn wrote:
>The problem with using AFS authentication on a popserver
>is that, compared to local authentication, AFS authentication
>takes much more resource and time. It involves connecting
>to the AFS kaserver across the network.
>
>Typically, popserver users connect and login very frequently
>(perhaps every minute) just to check if they have new mail.
>All this login activity soon swamps a popserver that is
>using AFS login authentication.
It can be done, but you need to take into account the extra compute cycles you
will need. As one data point, we run a dual 400MHz PII as a kpop server for
~2000 mail accounts (which get krb5 tickets as well as AFS tokens). Right now
it runs about 80% CPU idle. I think by default users check mail every 5
minutes. As always, YMMV.
>One pragmatic solution I found was to change the login
>authentication on the popserver from AFS to local
>encrypted password) files.
>
>The upside of this is that suddenly the login process
>is lightweight and much faster: the popserver is not
>overwhelmed by login activity.
>
>The downside is that users now have another password
>(the local one on the popserver) to remember and you
>must provide a mechanism for users to change their
>popserver local password.
>
>In any event, I would recommend you also look at using
>an IMAP server instead of a POP server.
IMAP helps the authentication situation significantly, because it creates
persistent connections. Regardless of whether you do IMAP or POP, PAG cleanup
is essential if you create a new PAG for each connection, which I would
recommend. A moderately busy server will create thousands of PAGs a day,
which will kill any amount of CPU you can throw at it if you don't do cleanup.
Our IMAP server used PAM (a good thing), but didn't call the authentication
destroy routines (a _very_ bad thing). 30,000 authenticated PAGs wandering
around in your kernel REALLY REALLY sucks. xstat_cm_test is your friend for
finding out things like this.
Dave
