Hi Everyone,
I'm running dovecot on a CentOS 7 box using PLAIN and GSSAPI auth. I need to use both because I have some clients that can't use GSSAPI.
I haven't been able to get the userdb working properly without a password file and a userdb file. For example, I have to set the home default and change the username_format.
I use FreeIPA and the dovecot server is joined properly to the realm. Authentication works (I don't have any passwords in the userdb file).
The problem is authentication is slow. When I use Roundcube, the login takes longer than it should. In fact, every operation (changing folders, opening an email, replying, etc.) is just slow. The web server where Roundcube is running is barely loaded, the dovecot server isn't loaded and the FreeIPA server is basically sitting idle.
When I watch /var/log/secure as I login to roundcube, I see this in the logs:
Why is pam_unix being hit and then pam_sss? I'm thinking the pam_unix failures are the reason why the auth is slow.
Here's the output from dovecot -n:
I'm sure I haven't configured something correctly, hence the performance problems.
Any help would be appreciated.
-- Ranbir
Sent from my iPhone
On Jun 7, 2016, at 11:07 AM, Ranbir m3freak@thesandhufamily.ca wrote:
Hi Everyone,
I'm running dovecot on a CentOS 7 box using PLAIN and GSSAPI auth. I need to use both because I have some clients that can't use GSSAPI.
I haven't been able to get the userdb working properly without a password file and a userdb file. For example, I have to set the home default and change the username_format.
I use FreeIPA and the dovecot server is joined properly to the realm. Authentication works (I don't have any passwords in the userdb file).
The problem is authentication is slow. When I use Roundcube, the login takes longer than it should. In fact, every operation (changing folders, opening an email, replying, etc.) is just slow. The web server where Roundcube is running is barely loaded, the dovecot server isn't loaded and the FreeIPA server is basically sitting idle.
When I watch /var/log/secure as I login to roundcube, I see this in the logs:
Why is pam_unix being hit and then pam_sss? I'm thinking the pam_unix failures are the reason why the auth is slow.
You have Pam as your passdb driver.
Here's the output from dovecot -n:
I'm sure I haven't configured something correctly, hence the performance problems.
Any help would be appreciated.
-- Ranbir
On June 7, 2016 at 9:06 PM Ranbir m3freak@thesandhufamily.ca wrote:
On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote:
You have Pam as your passdb driver.
Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server?
-- Ranbir
LDAP does come into mind... IPA after all IS ldap based. It's what sssd uses as well.
Aki Tuomi
We had this issue as well - switch your primary authentication to LDAP and make sure it is attempting those auth sources first before any PAM sources. You also don’t need to have your Dovecot server joined to the domain by doing it this way, which is nice.
We were previously using PAM auth through Kerberos as a method of authenticating from our LDAP servers. I can’t remember the reason why we decided to go with Dovecot->LDAP (no mediating auth service in between), but the performance was significantly faster.
Or, you can also try PAM using Kerberos, instead of WInbind (or whatever you are using with PAM). Just a thought.
~ Laz Peterson Paravis, LLC
On Jun 7, 2016, at 11:16 AM, aki.tuomi@dovecot.fi wrote:
On June 7, 2016 at 9:06 PM Ranbir m3freak@thesandhufamily.ca wrote:
On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote:
You have Pam as your passdb driver.
Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server?
-- Ranbir
LDAP does come into mind... IPA after all IS ldap based. It's what sssd uses as well.
Aki Tuomi
On Tue, 2016-06-07 at 11:24 -0700, Laz C. Peterson wrote:
Or, you can also try PAM using Kerberos, instead of WInbind (or whatever you are using with PAM). Just a thought.
So I did a tad bit more research because I didn't want to configure Dovecot to use LDAP. I wanted to use pam because the dovecot pam module would continue to be used. It's just easier that way!
Anyway, I noticed this option for the pam driver in passdb:
cache_key=<key>
I ended up adding this to the "args" list:
cache_key=%u%n
I also set these:
auth_cache_size = 1024 auth_cache_ttl = 1 hour auth_cache_negative_ttl = 0
Now Roundcube is flying again, just like it was before I made Dovecot use FreeIPA. The slow auth issue is gone.
Thanks for listening!
-- Ranbir
Sent from my iPhone
On Jun 7, 2016, at 1:06 PM, Ranbir m3freak@thesandhufamily.ca wrote:
On Tue, 2016-06-07 at 11:45 -0500, Edgar Pettijohn wrote:
You have Pam as your passdb driver.
Yes, because I have to. How else would I get Dovecot to authenticate users against my FreeIPA server?
Sorry. Thought you were asking why it was using Pam.
-- Ranbir
participants (4)
-
aki.tuomi@dovecot.fi
-
Edgar Pettijohn
-
Laz C. Peterson
-
Ranbir