Forskningsnettet i Norge
  
  Søk:

Test Summary

Web Authentication Through LIMS

Abstract

We have done some testing of web authentication using LDAP through LIMS. Specifically, we were interested in how a relatively large number of user accounts would affect response time. A short summary of our configuration and method follows, with a preliminary conclusion.

Software

LDAP library and server: OpenLDAP 2.0.23
  • Configured with --enable-referrals
Apache authentication module: Auth_ldap 1.6.0
A few modifications has been made to the function ldap_authenticate_basic_user():
  • Specify use of LDAPv3 and that referrals should not be chased by the LDAP library.
  • Removed explicit use of bind during search phase.
  • If one or more referrals are returned during the search phase, the first referral is followed and the search phase is restarted.
    Note: While not an optimal solution (since the search is done both on the LIMS server and on the LDAP server) it allows us to postpone a rewrite of the auth_ldap caching mechanism. Additionally, the current solution allows auth_ldap to follow a chain of referrals, if necessary.
The complete modified source can be found in auth_ldap-1.6.0-modified.tgz. A patch from 1.6.0 can be found in auth_ldap.c_diff.gz
Note: There is a problem with the modified source/patch and TLS. An updated source will be made available soon.
Web server: Apache 1.3.23
  • Configured with --enable-module=so

Servers

The following servers are involved:
LDAP: ldap://klungset.uninett.no/
LIMS: ldap://ldap.uninett.no:1389/
Web: http://klungset.uninett.no/
Because of ongoing testing we make no guarantee about downtime.

Preparations

  1. We generate an LDIF file with 500000 test user accounts, using posixAccount.
    The user data follows the pattern
      dn: uid=usrn,dc=uninett,dc=no
  objectClass: posixAccount
  cn: Test User n
  gidNumber: -1
  homeDirectory: n/a
  loginShell: n/a
  userPassword: pwdn
    where n goes from 0 to 499999. This results in approx. 88MB LDIF.
  2. The LDIF file is read into an ldbm database. The database is empty except for the dc=uninett,dc=no root.
    Takes approx. 13 minutes.
  3. The LIMS index (TIO) is generated from the LDIF.
    Takes approx. 1 hour and 13 minutes, resulting in a TIO file of about 16MB.
  4. The LIMS server is started and will read the TIO file.
    Takes approx. 9 minutes.
  5. Finally, we confirm that both the LDAP server and the web server is running.

Testing

A number of test pages can be found on http://klungset.uninett.no/~cato/, using both authentication directly towards LDAP and through LIMS.
Authentication directly towards LDAP: http://klungset.uninett.no/~cato/valid-user/
http://klungset.uninett.no/~cato/user/
Authentication through LIMS: http://klungset.uninett.no/~cato/indexed/
To use LIMS instead of LDAP we only need to modify the host and port in the AuthLDAPUrl directive. For example, the .htaccess used for http://klungset.uninett.no/~cato/indexed/ looks like this:

  AuthType basic
  AuthName "Authorization: require valid-user"
  AuthLDAPUrl ldap://ldap.uninett.no:1389/dc=no?uid?sub?(objectClass=posixAccount)
  require valid-user
Note that we explicitly specify some default values here, for clarity.

Conclusion

We have done preliminary testing using the above setup and sets of 1, 100000 and 500000 test users. So far we have not found any noticeable difference in response time given different sized user sets. Although the results are preliminary and none too accurate, they should provide a certain idea as to how the software performs given a low-load situation.

Another observation we make is that generating a LIMS index appears to be relatively time consuming.

Finally, we note the need to modify the auth_ldap module in order to work properly with the LIMS server, and suspect that this may also hold true for other LDAP authentication clients, such as the pam_ldap module.

Future Activities

Following up the testing outlined here, we plan to:


cato.olsen@uninett.no 2003-05-09