>From our testing it appears that slapd's usage of the crypt function, to check
a user's password on a bind request, is single threaded, rather than being
distributed across all of slapds thread. We encountered this problem when
bumping the number of hashing rounds for our password hashes from 5,000 to
500,000 as was suggested by our security team.

Is it expected that the hashing of a users password would be bound to one

We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box
with 8 cores.

# Running script with butter user and 10,000,000 rounds of hashing:

  $ pidstat -t -p $(pgrep slapd) 5 3
  Average:      UID      TGID       TID    %usr %system  %guest
%CPU   CPU  Command
  Average:      108     28458         -  100.00    0.00    0.00
100.00     -  slapd
  Average:      108         -     28458    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     28459    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     28460    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     10679    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     10680    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     17988    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     17993    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     17998    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     18007   22.53    0.00    0.00
22.53     -  |__slapd
  Average:      108         -     19109   16.80    0.00    0.00
16.80     -  |__slapd
  Average:      108         -     19110    0.07    0.00    0.00
0.07     -  |__slapd
  Average:      108         -     19111    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     19112   60.73    0.00    0.00
60.73     -  |__slapd
  Average:      108         -     19113    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     27438    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     27439    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     27440    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     27441    0.00    0.00    0.00
0.00     -  |__slapd

# Running script with bubbles user and 5,000 rounds of hashing:

  $ pidstat -t -p $(pgrep slapd) 5 3
  Average:      UID      TGID       TID    %usr %system  %guest
%CPU   CPU  Command
  Average:      108     28458         -  109.59    0.87    0.00
110.46     -  slapd
  Average:      108         -     28458    0.00    0.00    0.00
0.00     -  |__slapd
  Average:      108         -     28459    0.80    2.80    0.00
3.60     -  |__slapd
  Average:      108         -     28460    8.79    0.07    0.00
8.86     -  |__slapd
  Average:      108         -     10679    7.00    0.07    0.00
7.06     -  |__slapd
  Average:      108         -     10680    8.19    0.07    0.00
8.26     -  |__slapd
  Average:      108         -     17988    3.80    0.07    0.00
3.86     -  |__slapd
  Average:      108         -     17993    3.73    0.00    0.00
3.73     -  |__slapd
  Average:      108         -     17998    7.46    0.00    0.00
7.46     -  |__slapd
  Average:      108         -     18007    7.66    0.00    0.00
7.66     -  |__slapd
  Average:      108         -     19109    8.93    0.07    0.00
8.99     -  |__slapd
  Average:      108         -     19110    4.73    0.07    0.00
4.80     -  |__slapd
  Average:      108         -     19111    9.33    0.00    0.00
9.33     -  |__slapd
  Average:      108         -     19112    9.26    0.13    0.00
9.39     -  |__slapd
  Average:      108         -     19113    2.40    0.00    0.00
2.40     -  |__slapd
  Average:      108         -     27438    8.13    0.07    0.00
8.19     -  |__slapd
  Average:      108         -     27439    1.87    0.07    0.00
1.93     -  |__slapd
  Average:      108         -     27440    7.79    0.00    0.00
7.79     -  |__slapd
  Average:      108         -     27441    7.00    0.00    0.00
7.00     -  |__slapd

# Test ldif:

  $ cat example.ldif
  dn: o=example
  o: example
  objectclass: organization

  dn: ou=people, o=example
  ou: people
  objectclass: organizationalunit

  dn: ou=groups, o=example
  ou: groups
  objectclass: organizationalunit

  dn: cn=butter, ou=people, o=example
  objectclass: inetOrgPerson
  cn: butter
  sn: butter
  # 'everyone loves butter'
  uid: butter

  dn: cn=bubbles, ou=people, o=example
  objectclass: inetOrgPerson
  cn: bubbles
  sn: bubbles
  # 'everyone loves bubbles'
  uid: bubbles

  dn: cn=admin,o=example
  objectClass: simpleSecurityObject
  objectClass: organizationalRole
  cn: admin
  description: LDAP administrator
  structuralObjectClass: organizationalRole

# Test script:

  $ cat whoamis


  trap cleanup SIGINT

  cleanup() {
          kill -9 $(jobs -p)
          exit 1

  while true; do
          if [[ $(jobs | wc -l) -lt 8 ]]; then
                  ldapwhoami -x -D cn=${USER},ou=people,o=example -H
ldap://localhost -w "everyone loves ${USER}" >/dev/null &
                  wait -n

Reply via email to