Now, while you are mentioning this, I recall I have seen on ethereal
capture session that for each file there are two Kerberos authentication
requests (I do not use keytab) - the first one failing.
As far as SVN documentation goes, it seems to be desired behavior (auth
check on each access).
I thought that turning on KrbSaveCredentials for mod_auth_kerb might
solve this, but I have not verified it afterwards. This should preserve
credentials until the request is served - the question is, what is
exactly one request from SVN point of view and whether there has to be
special support for this feature from authz_svn module.
Do you know how it is done in mod_auth_ldap? Does this module implement
credentials caching on its own? And if yes, for how long?
Tony Butt wrote:
> We run our server on a 2.8HGz Xeon processor running SuSE Enterprise
> Linux 9, running apache2.0.49 and subversion 1.2.3.
> Our authentication system uses mod_auth_kerb to refer to a Windows 2000
> domain controller, and authz_svn to control access to various parts of
> the repository. There seems to be a bottleneck with the interaction
> between mod_auth_krb and mod_authz_svn, where the authentication
> information is not a cached, but checked for EACH FILE in the repository
> that a transaction looks at.
> I found that something like 4 DNS lookups were also being performed
> for each file, and fixed most of that by hardcoding IP addresses into
> the krb.conf configuration file. This has reduced the server CPU load,
> but checkouts and log operations are still much slower than we would
> like, and something like 10x slower than using svn: protocol, with no
> authz_svn (and no auth_kerb). We like mod_auth_kerb for the single sign
> on ability it gives us, but the lack of credential caching is really
> killing our performance. We have experimented with bdb and fsfs
> backends, but found no definitive performance differences, so you might
> be able to gain a little there, but not much.
> In all likelihood, your problems are related to authentication and
> authorisation - maybe mod_auth_ldap would be better for you?
> Tony Butt
> CEA Technologies
> Canberra, Australia
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Sun Dec 25 03:16:58 2005