[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd's crypt usage is single threaded?

To: Jesse Hathaway <jesse@mbuki-mvuki.org>, openldap-devel@openldap.org
Subject: Re: slapd's crypt usage is single threaded?
From: Howard Chu <hyc@symas.com>
Date: Fri, 16 Feb 2018 18:54:16 +0000
In-reply-to: <CANSNSoXKrffyDEh5AYHJt+x+Zh03EFSnHtvW_d=UB+XQ3E9TzQ@mail.gmail.com>
References: <CANSNSoXKrffyDEh5AYHJt+x+Zh03EFSnHtvW_d=UB+XQ3E9TzQ@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53a1

Jesse Hathaway wrote:

From our testing it appears that slapd's usage of the crypt function, to check

a user's password on a bind request, is single threaded, rather than being
distributed across all of slapds thread. We encountered this problem when
bumping the number of hashing rounds for our password hashes from 5,000 to
500,000 as was suggested by our security team.

Is it expected that the hashing of a users password would be bound to one
thread?

Depends entirely on whether or not your libc supports crypt_r() (reentrantcrypt). If not then yes, it has to be single-threaded because crypt() is notreentrant, it returns a pointer to static storage.

And of course, even if you use crypt_r() it's always possible that theunderlying cipher is itself single-threaded. We have no way to know and nocontrol over that.


We ran our tests on a default install of of slapd 2.4.44 on Debian Jessie box
with 8 cores.




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: slapd's crypt usage is single threaded?
  - From: Jesse Hathaway <jesse@mbuki-mvuki.org>

References:
- slapd's crypt usage is single threaded?
  - From: Jesse Hathaway <jesse@mbuki-mvuki.org>

Prev by Date: slapd's crypt usage is single threaded?
Next by Date: Re: slapd's crypt usage is single threaded?
Index(es):
- Chronological
- Thread