On Wed, 2007-09-19 at 10:26 -0400, Priest, James (NIH/NIEHS) [C] wrote:
> Recently we moved from a text file authorization to authenticating
> against Kerberos. Since we have done that - running 'svn log' has slowed
> down to the point it's really unusable.
>
> I've dug around through the web and the mailing list archives and found
> references to adding a "SVNPathAuthz Off" line - but most of these posts
> were old (2004) and it seemed to be a compromise and was wondering if
> this was still the best solution??
>
> If this is the only solution we'll probably have to make some changes to
> our repository organization to group the repos that need security vs.
> speed.
>
> Thanks,
> Jim
>
I found that some changes to your krb5.conf can help.
What really helped us was to replace any hostnames in krb5.conf with IP
addresses.
The mod_auth_krb implementation is fairly stateless - it doesn't
remember that you authenticated for a particular file in the same
transaction, and re-checks the kerberos tickets each time. Some sort of
authentication cache would really help this (similar to mod_auth_ldap).
This means that each file accessed via subversion requires checking the
kerberos authentication. If you have hostnames in krb5.conf, then the
dns lookups are also redone. This meant about 3 network transmit/receive
pairs in addition to the actual file/data transfer to/from subversion.
We went from Win 2000 domain controllers to 2003 controllers earlier
this year, and something changed with the AD kerberos processing there -
things became so slow that we had to give up mod_auth_krb, and use
mod_pam instead :-( If you are using Active Directory, you can also try
winbind - seems to run OK.
Tony Butt
CEA Technologies
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Sep 21 04:14:41 2007