[CentOS] Slow authentication on C7

James Hogarth james.hogarth at gmail.com
Tue Apr 12 19:33:38 UTC 2016 

On 12 April 2016 at 18:03, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:

>
> On Tue, April 12, 2016 11:57 am, m.roth at 5-cent.us wrote:
> > James Hogarth wrote:
> >> On 12 Apr 2016 16:29, "Scott Robbins" <scottro11 at gmail.com> wrote:
> >>> On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota wrote:
> >>> > W dniu 11.04.2016 o 20:07, Scott Robbins pisze:
> > <SNIP>
> >> After various testing I ended up going with the Apache LDAP cache module
> >> and doing the auth at the Apache level, not system.
> >>
> >> Was far better in performance with the SVN server being hit
> >> fairly hard. I can try and dig out an example configuration if
> >> you would like.
> >>
> >> The bonus here as well is that svn users are separated cleanly
> >>  from system users... No reason for a dev to have a shell account
> >> on there ;)
> >
> > I'd be *very* interested in that configuration, if you post it here, or
> > offlist, to me.
>
> Me too. Please, post for everyone, or add me to off-list message.
>
> Valeri
>
>
>
The CA.crt assumes that is used to sign the LDAPS certs ... replace as
required ;)
This assumes multiple SVN repos under /srv/svn/repos
This includes a local userfile for any quick hacks or system things that
you don't want to hit LDAP for - can be removed.
This also allows fallback from one server to another if need be, note that
it will need to timeout on the first though.
This took a fair chunk of load off of our LDAP server and made checkouts a
far more pleasant experience.

Bonus points if you get your CM to change ordering of LDAP servers between
repos (or other web auth) ;)
_____________________________________________________________

LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/certs/CA.crt

# Enable caching by mod_ldap
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<Location /ldap-status>
  SSLRequire true
  SetHandler ldap-status
</Location>

<Location /repos>
   DAV svn
   SVNParentPath /srv/svn/repos
</Location>

<Location /repos/repo1>
  SSLRequireSSL
  AuthName "SVN Repo 1"
  AuthType Basic
  AuthLDAPBindDN cn=svnbind,cn=systemusers,dc=example,dc=com
  AuthLDAPBindPassword plaintextpassword
  AuthUserFile /etc/httpd/svnpasswd

  AuthLDAPURL "ldaps://ldapserver1.example.com/dc=example,dc=com?uid
 ldaps://ldapserver2.example.com/dc=example,dc=com?uid "

  AuthBasicProvider  file ldap
  AuthzLDAPAuthoritative off
  AuthLDAPGroupAttribute  member
  AuthLDAPGroupAttributeIsDN On

  # READ
  <Limit OPTIONS PROPFIND GET REPORT>
    Require ldap-group cn=dev,cn=groups,dc=example,dc=com
    Require ldap-group cn=qa,cn=groups,dc=example,dc=com
  </Limit>
  # WRITE
  <LimitExcept OPTIONS PROPFIND GET REPORT>
    Require ldap-group cn=dev,cn=groups,dc=example,dc=com
  </LimitExcept>
</Location>

More information about the CentOS mailing list