subject:"slapd's crypt usage is single threaded\?"

Re: slapd's crypt usage is single threaded?

2018-02-16 Thread Jesse Hathaway

On Fri, Feb 16, 2018 at 12:54 PM, Howard Chu  wrote:
> Depends entirely on whether or not your libc supports crypt_r() (reentrant
> crypt). If not then yes, it has to be single-threaded because crypt() is not
> reentrant, it returns a pointer to static storage.
>
> And of course, even if you use crypt_r() it's always possible that the
> underlying cipher is itself single-threaded. We have no way to know and no
> control over that.

Thanks Chu for the followup, I made the mistake of looking at the master
source code which includes crypt_r support rather than the source code for
2.4.44 which we are presently running. It appears you added support for
crypt_r on Sep 6, 2017 with commit afa861bf22, however that commit does not
appear in any tagged version, `git tag --contains afa861bf22`

Do you have any idea when a version with this commit might be released?

I compiled master with crypt_r support and the results are much better

  $ pidstat -t -p $(pgrep slapd) 5 3
  
  Average:  UID  TGID   TID%usr %system  %guest
%CPU   CPU  Command
  Average:  108 15720 -  788.670.070.00
788.73 -  slapd
  Average:  108 - 157200.000.000.00
0.00 -  |__slapd
  Average:  108 - 157210.000.000.00
0.00 -  |__slapd
  Average:  108 - 15722   98.400.000.00
98.40 -  |__slapd
  Average:  108 - 19581   38.800.000.00
38.80 -  |__slapd
  Average:  108 - 19585   94.400.000.00
94.40 -  |__slapd
  Average:  108 - 19591   94.000.000.00
94.00 -  |__slapd
  Average:  108 - 19592   65.270.000.00
65.27 -  |__slapd
  Average:  108 - 19650   98.800.000.00
98.80 -  |__slapd
  Average:  108 - 19754   97.930.000.00
97.93 -  |__slapd
  Average:  108 -  2526   39.000.000.00
39.00 -  |__slapd
  Average:  108 -  3293   98.670.000.00
98.67 -  |__slapd
  Average:  108 -  4694   63.600.000.00
63.60 -  |__slapd

Re: slapd's crypt usage is single threaded?

2018-02-16 Thread Ryan Tandy


On Fri, Feb 16, 2018 at 12:01:37PM -0600, Jesse Hathaway wrote:

 # 
{CRYPT}$6$rounds=1000$ykk4zGD3ODNR$iMP/zYeisoWTYgxLtPv1qzoo/dVrYQLAb9sKlRMBgPTfFrr9lTzEEkJ9NcFdGI/MiRxHSx/1x3rnw3RkNRMer/
 # 'everyone loves butter'


Have you tested this using the native SHA-2 support (slapd-sha2 contrib 
module and {SSHA512}) instead of libc crypt?

Re: slapd's crypt usage is single threaded?

2018-02-16 Thread Howard Chu


Jesse Hathaway wrote:

From our testing it appears that slapd's usage of the crypt function, to check

a user's password on a bind request, is single threaded, rather than being
distributed across all of slapds thread. We encountered this problem when
bumping the number of hashing rounds for our password hashes from 5,000 to
500,000 as was suggested by our security team.

Is it expected that the hashing of a users password would be bound to one
thread?


Depends entirely on whether or not your libc supports crypt_r() (reentrant 
crypt). If not then yes, it has to be single-threaded because crypt() is not 
reentrant, it returns a pointer to static storage.


And of course, even if you use crypt_r() it's always possible that the 
underlying cipher is itself single-threaded. We have no way to know and no 
control over that.


We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box
with 8 cores.




--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

slapd's crypt usage is single threaded?

2018-02-16 Thread Jesse Hathaway

>From our testing it appears that slapd's usage of the crypt function, to check
a user's password on a bind request, is single threaded, rather than being
distributed across all of slapds thread. We encountered this problem when
bumping the number of hashing rounds for our password hashes from 5,000 to
500,000 as was suggested by our security team.

Is it expected that the hashing of a users password would be bound to one
thread?

We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box
with 8 cores.

# Running script with butter user and 10,000,000 rounds of hashing:

  $ pidstat -t -p $(pgrep slapd) 5 3
  
  Average:  UID  TGID   TID%usr %system  %guest
%CPU   CPU  Command
  Average:  108 28458 -  100.000.000.00
100.00 -  slapd
  Average:  108 - 284580.000.000.00
0.00 -  |__slapd
  Average:  108 - 284590.000.000.00
0.00 -  |__slapd
  Average:  108 - 284600.000.000.00
0.00 -  |__slapd
  Average:  108 - 106790.000.000.00
0.00 -  |__slapd
  Average:  108 - 106800.000.000.00
0.00 -  |__slapd
  Average:  108 - 179880.000.000.00
0.00 -  |__slapd
  Average:  108 - 179930.000.000.00
0.00 -  |__slapd
  Average:  108 - 179980.000.000.00
0.00 -  |__slapd
  Average:  108 - 18007   22.530.000.00
22.53 -  |__slapd
  Average:  108 - 19109   16.800.000.00
16.80 -  |__slapd
  Average:  108 - 191100.070.000.00
0.07 -  |__slapd
  Average:  108 - 191110.000.000.00
0.00 -  |__slapd
  Average:  108 - 19112   60.730.000.00
60.73 -  |__slapd
  Average:  108 - 191130.000.000.00
0.00 -  |__slapd
  Average:  108 - 274380.000.000.00
0.00 -  |__slapd
  Average:  108 - 274390.000.000.00
0.00 -  |__slapd
  Average:  108 - 274400.000.000.00
0.00 -  |__slapd
  Average:  108 - 274410.000.000.00
0.00 -  |__slapd

# Running script with bubbles user and 5,000 rounds of hashing:

  $ pidstat -t -p $(pgrep slapd) 5 3
  
  Average:  UID  TGID   TID%usr %system  %guest
%CPU   CPU  Command
  Average:  108 28458 -  109.590.870.00
110.46 -  slapd
  Average:  108 - 284580.000.000.00
0.00 -  |__slapd
  Average:  108 - 284590.802.800.00
3.60 -  |__slapd
  Average:  108 - 284608.790.070.00
8.86 -  |__slapd
  Average:  108 - 106797.000.070.00
7.06 -  |__slapd
  Average:  108 - 106808.190.070.00
8.26 -  |__slapd
  Average:  108 - 179883.800.070.00
3.86 -  |__slapd
  Average:  108 - 179933.730.000.00
3.73 -  |__slapd
  Average:  108 - 179987.460.000.00
7.46 -  |__slapd
  Average:  108 - 180077.660.000.00
7.66 -  |__slapd
  Average:  108 - 191098.930.070.00
8.99 -  |__slapd
  Average:  108 - 191104.730.070.00
4.80 -  |__slapd
  Average:  108 - 191119.330.000.00
9.33 -  |__slapd
  Average:  108 - 191129.260.130.00
9.39 -  |__slapd
  Average:  108 - 191132.400.000.00
2.40 -  |__slapd
  Average:  108 - 274388.130.070.00
8.19 -  |__slapd
  Average:  108 - 274391.870.070.00
1.93 -  |__slapd
  Average:  108 - 274407.790.000.00
7.79 -  |__slapd
  Average:  108 - 274417.000.000.00
7.00 -  |__slapd

# Test ldif:

  $ cat example.ldif
  dn: o=example
  o: example
  objectclass: organization

  dn: ou=people, o=example
  ou: people
  objectclass: organizationalunit

  dn: ou=groups, o=example
  ou: groups
  objectclass: organizationalunit

  dn: cn=butter, ou=people, o=example
  objectclass: inetOrgPerson
  cn: butter
  sn: butter
  # 
{CRYPT}$6$rounds=1000$ykk4zGD3ODNR$iMP/zYeisoWTYgxLtPv1qzoo/dVrYQLAb9sKlRMBgPTfFrr9lTzEEkJ9NcFdGI/MiRxHSx/1x3rnw3RkNRMer/
  # 'everyone loves butter'
  userPassword::
e0NSWVBUfSQ2JHJvdW5kcz0xMDAwMDAwMCR5a2s0ekdEM09ETlIkaU1QL3pZZWlzb1dUWWd4THRQdjFxem9vL2RWcllRTEFiOXNLbFJNQmdQVGZGcnI5bFR6RUVrSjlOY0ZkR0kvTWlSeEhTeC8xeDNybnczUmtOUk1lci8=
  uid: butter

  dn: cn=bubbles, ou=people, o=example
  objectclass: inetOrgPerson
  cn: bubbles
  sn: bubbles
  #

Re: slapd's crypt usage is single threaded?

Re: slapd's crypt usage is single threaded?

Re: slapd's crypt usage is single threaded?

slapd's crypt usage is single threaded?

4 matches

Site Navigation

Mail list logo

Footer information