[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Changing timeouts from a slapd module

To: dee heffem <dheffem@gmail.com>
Subject: Re: Changing timeouts from a slapd module
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 22 May 2019 15:50:15 +0200
Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
Cc: OpenLDAP Technical <openldap-technical@openldap.org>
Content-language: en-US
In-reply-to: <1f32babf-2059-4f65-8276-9ace51b34ccf@gmail.com>
Openpgp: preference=signencrypt
References: <CAM-t1EaWZ1mmzbtyV-XRxtmyk=6kRbsdYzC7WFLBZv5=F7XBhQ@mail.gmail.com> <87ef51x91g.fsf@pink.fritz.box> <3F66A84DB9D8E99EF5A5825C@192.168.1.39> <CAM-t1EbApGTcNpd6bHSFQEU91OQFDYO0J2UzDSX7RnyMGDPUQg@mail.gmail.com> <87k1esyscr.fsf@pink.fritz.box> <CAM-t1Eak3b+3jB2NTagSVc-JPvW0exqJRZFhkmQ++49AEZ5Q6A@mail.gmail.com> <2B13C8F70A0C725107F0641B@192.168.1.39> <CAM-t1EZYcqYCiNdphAQ23kaMP_wgsyjt0SF=cuwWmaj4SMqjwA@mail.gmail.com> <01A83D0402E9486565385086@[192.168.1.39]> <bc09ac9b-4d64-e445-eda3-1a95cd30871c@gmail.com> <d2428f7b-d338-e2b7-5925-95309d319ddc@stroeder.com> <1f32babf-2059-4f65-8276-9ace51b34ccf@gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

On 5/22/19 3:28 PM, dee heffem wrote:
> On 5/21/19 4:31 PM, Michael Ströder wrote:
>> Is your overlay processing a single bind operation?
>>
>> AFAIK the slapd worker thread is blocked for the whole processing time
>> of a single bind operation. Thus I have some doubts that you want to
>> implement an auth mechanism with such asynchronous characteristics in an
>> overlay.
>
> Yes. Also, I now see what you mean. Testing simultaneous auth sessions
> was the next TODO after increasing the timeout. Alas, as you mention,
> when two users attempt a bind (ldapsearch -D for instance) User #2 does
> not get a push request until User #1 has finished auth. Blasted thing.

I would not expect the 2nd request to block. I would expect the n+1 bind
operation to block with n being the value configured with slapd.conf
directive 'threads'.

> Can lutil_passwd_add() be told to run in another thread or something?
> Perhaps this is just digging a hole deeper however.

Each request is processed by a slapd worker-thread. But this means that
when setting

threads n

in your slapd.conf only max. n bind operations can wait for push
message. The next one will block

BTW: Not sure about the capabilities of the 2FA service you're using.
Such a service might serialize all your calls or have some other type of
rate-limiting in place.

Ciao, Michael.

Follow-Ups:
- Re: Changing timeouts from a slapd module
  - From: dee heffem <dheffem@gmail.com>

References:
- accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: Manuela Mandache <manuela.mandache.mm@gmail.com>
- Re: accesslog database: overflow or data rotation?
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Changing timeouts from a slapd module
  - From: dee heffem <dheffem@gmail.com>
- Re: Changing timeouts from a slapd module
  - From: Michael Ströder <michael@stroeder.com>
- Re: Changing timeouts from a slapd module
  - From: dee heffem <dheffem@gmail.com>

Prev by Date: Re: Changing timeouts from a slapd module
Next by Date: schema errors with slapcat with custom schema?
Index(es):
- Chronological
- Thread