Fwd: mech_step takes long to return
Hello Micheal, I replaced DEV_RANDOM to /dev/urandom saslutil.c, somehow the change in config.h was not affecting the SASL library when I tried this yesterday ( as per Rudy's suggestion). I will check why this happened. The good news is we are able to get the search results back in a normal fashion i.e. quickly. Should we file a request to take this AIX problem into consideration in the SASL code? I think everyone who will use the SASL library on AIX 5.2 will face the same issue. I am very thankful to Rudy and you for the help provided, we highly appreciate the help. Thanks and Regards, Aditya -- Forwarded Message -- Subject: Re: Fwd: mech_step takes long to return Date: Wednesday 24 October 2007 09:19 From: Aditya Khasnis [EMAIL PROTECTED] To: Michael Bacon [EMAIL PROTECTED] Cc: Rudy Gevaert [EMAIL PROTECTED], cyrus-devel@lists.andrew.cmu.edu Thanks for your inputs Michael. I will try out a few things and let you know how it goes. Regards, Adi -Original Message- Re: Fwd: mech_step takes long to return From : Michael Bacon [EMAIL PROTECTED] To: [EMAIL PROTECTED], Rudy Gevaert [EMAIL PROTECTED] CC: cyrus-devel@lists.andrew.cmu.edu Date: Tuesday 23 October 2007 21:39 It looks like AIX 5.2 has a new implementation of /dev/urandom, and that other applications are seeing slowness in the device: http://www.webservertalk.com/archive92-2004-5-151843.html Not much that SASL can do if the OS won't give it randomness quickly. -Michael --On Tuesday, October 23, 2007 5:59 PM +0530 Aditya Khasnis [EMAIL PROTECTED] wrote: Thank you for you suggestion Rudy, I changed the config.h as mentioned but the performance didn't improve. It still takes a long in mech_step. Should I check anything else? Regards, Aditya -Original Message- Re: Fwd: mech_step takes long to return From : Rudy Gevaert [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: cyrus-devel@lists.andrew.cmu.edu Date: Tuesday 23 October 2007 17:44 Aditya Khasnis wrote: Hello, We have a LDAP server that uses Cyrus SASL library v 1.5.27. On AIX 5.2, we observe that the SASL searches take long to return. The behavior is such that the first SASL search that we fire returns fast but the subsequent search takes long time to return. I have tried to debug SASL library and in the place where it takes long is the function sasl_server_start(), and exact location is line 1205. It will be great if you great if you could provide us any guidance to debug the problem. The mechanism we are using in the search is DIGEST-MD5. Slowdown in Sasl is most of the time related to the lack of entropy. Q: I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do? A:libsasl reads from /dev/random as part of its initialization. /dev/random is a secure source of entropy, and will block your application until a sufficient amount of randomness has been collected to meet libsasl's needs. To improve performance, you can change DEV_RANDOM in config.h to be /dev/urandom and recompile libsasl. /dev/urandom offers less secure random numbers but should return immediately. The included mechanisms, besides OTP and SRP, use random numbers only to generate nonces, so using /dev/urandom is safe if you aren't using OTP or SRP. (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html) ---
Re: Fwd: mech_step takes long to return
Aditya Khasnis wrote: Hello, We have a LDAP server that uses Cyrus SASL library v 1.5.27. On AIX 5.2, we observe that the SASL searches take long to return. The behavior is such that the first SASL search that we fire returns fast but the subsequent search takes long time to return. I have tried to debug SASL library and in the place where it takes long is the function sasl_server_start(), and exact location is line 1205. It will be great if you great if you could provide us any guidance to debug the problem. The mechanism we are using in the search is DIGEST-MD5. Slowdown in Sasl is most of the time related to the lack of entropy. Q: I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do? A:libsasl reads from /dev/random as part of its initialization. /dev/random is a secure source of entropy, and will block your application until a sufficient amount of randomness has been collected to meet libsasl's needs. To improve performance, you can change DEV_RANDOM in config.h to be /dev/urandom and recompile libsasl. /dev/urandom offers less secure random numbers but should return immediately. The included mechanisms, besides OTP and SRP, use random numbers only to generate nonces, so using /dev/urandom is safe if you aren't using OTP or SRP. (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Rudy Gevaert [EMAIL PROTECTED] tel:+32 9 264 4734 Directie ICT, afd. Infrastructuur ICT Department, Infrastructure office Groep SystemenSystems group Universiteit Gent Ghent University Krijgslaan 281, gebouw S9, 9000 Gent, Belgie www.UGent.be -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Re: Fwd: mech_step takes long to return
Thank you for you suggestion Rudy, I changed the config.h as mentioned but the performance didn't improve. It still takes a long in mech_step. Should I check anything else? Regards, Aditya -Original Message- Re: Fwd: mech_step takes long to return From : Rudy Gevaert [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: cyrus-devel@lists.andrew.cmu.edu Date: Tuesday 23 October 2007 17:44 Aditya Khasnis wrote: Hello, We have a LDAP server that uses Cyrus SASL library v 1.5.27. On AIX 5.2, we observe that the SASL searches take long to return. The behavior is such that the first SASL search that we fire returns fast but the subsequent search takes long time to return. I have tried to debug SASL library and in the place where it takes long is the function sasl_server_start(), and exact location is line 1205. It will be great if you great if you could provide us any guidance to debug the problem. The mechanism we are using in the search is DIGEST-MD5. Slowdown in Sasl is most of the time related to the lack of entropy. Q: I'm having performance problems on each authentication, there is a noticeable slowdown when sasl initializes, what can I do? A:libsasl reads from /dev/random as part of its initialization. /dev/random is a secure source of entropy, and will block your application until a sufficient amount of randomness has been collected to meet libsasl's needs. To improve performance, you can change DEV_RANDOM in config.h to be /dev/urandom and recompile libsasl. /dev/urandom offers less secure random numbers but should return immediately. The included mechanisms, besides OTP and SRP, use random numbers only to generate nonces, so using /dev/urandom is safe if you aren't using OTP or SRP. (http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html)
