Jesse Hathaway wrote:
From our testing it appears that slapd's usage of the crypt function, to check
a user's password on a bind request, is single threaded, rather than being
distributed across all of slapds thread. We encountered this problem when
bumping the number of hashing rounds for our password hashes from 5,000 to
500,000 as was suggested by our security team.
Is it expected that the hashing of a users password would be bound to one
thread?
Depends entirely on whether or not your libc supports crypt_r() (reentrant
crypt). If not then yes, it has to be single-threaded because crypt() is not
reentrant, it returns a pointer to static storage.
And of course, even if you use crypt_r() it's always possible that the
underlying cipher is itself single-threaded. We have no way to know and no
control over that.
We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box
with 8 cores.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
