[sudo-users] Sudo performance with LDAP netgroups in /etc/sudoers
spinler.patrick at mayo.edu
Thu Jan 28 22:02:25 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Sorry for continuing to follow up to myself. I've managed, with some
advice, to track down a likely culprit, and it's all in our configuration.
Our clients appear to experience some not insignificant delay
negotiating TLS encryption on the ldap channel. When I turn tls off in
my /etc/ldap.conf, my "sudo -l" times reliably fall to about 0.5
seconds. That's something very tolerable.
Now, I just need to figure out if there's a way to improve that.
Unfortunately for me, we can't just drop TLS/SSL
- -- Pat
Patrick Spinler wrote:
> Bugger. My apologies, I forgot some more critical information.
> Much of my testing was on the RHEL supplied versions of sudo, Sudo
> version 1.6.9p17 on my redhat 5.3 box, and Sudo version 1.6.7p5 on my
> RHEL 4.8 box.
> However, I've also compiled and tried Sudo version 1.7.2p1 on RHEL 4,
> and see almost identical performance characteristics as the 1.6.*
> versions on the same host.
> So unfortunately whatever's going on here seems to be the same in the
> latest versions of sudo.
> -- Pat
> Patrick Spinler wrote:
>> Hi all sudo knowledge gods. :-) I'd like to place a sudo performance
>> question before you.
>> We have an environment (using redhat enterprise linux 5.3 as my test
>> box) where I am using netgroups in my sudoers, like so:
>> +netgroup ALL=(ALL) NOPASSWD: ALL
>> and direct my netgroup database to use LDAP via /etc/nsswitch.conf, like so:
>> netgroup: files ldap
>> Unfortunately, in my test box, I'm seeing abysmal performance invoking
>> sudo, on the order of 4 seconds to run a "sudo -l"
>> I've established a very strong correlation between the number of
>> netgroups listed in /etc/sudoers and the invocation time. On my test
>> machine, with 15 netgroups listed, I had the 4 second invocation time
>> I just mentioned. When I reduced the number of netgroups to 7 by
>> combining lines using line continuation characters, my "sudo -l" time
>> dropped to an average 2.2 seconds over 10 tests.
>> Sure enough, when I examined my ldap server logs, I see an ldap search
>> for each listing of a netgroup in /etc/sudoers directly resulting from
>> any invocation of sudo. This includes several searches for the same
>> netgroup per invocation if the netgroup is listed multiple times. E.g.
>> +netgroup ALL=(root) /bin/su - tomcat
>> +netgroup ALL=(tomcat) ALL
>> would produce two searches for with the ldap filter
>> "(&(objectClass=nisNetgroup)(cn=netgroup))" on my servers.
>> However, while there is a strong correlation between the number of ldap
>> searches and the experienced delay, that's not the whole story. My ldap
>> servers are, in fact, quite fast. I can run the following search (yes,
>> the duplication is intentional, intended to mirror the duplicate
>> netgroups in sudoers like above):
>> time for i in netgr1 netgr2 netgr2 netgr3 netgr3 netgr4 netgr4; do
>> ldapsearch -x "(&(objectClass=nisNetgroup)(cn=$i))"
>> done > /dev/null
>> in, on average, 0.14 seconds.
>> So, for 7 netgroups, it's a fair assumption that my 2.2 second "sudo -l"
>> spends < .2 seconds searching ldap for netgroups, and about 2 seconds
>> doing "something else".
>> Frustratingly, I haven't been able to profile this. The command:
>> time strace sudo -l
>> ends up complaining that:
>> write(2, "sudo: ", 6sudo: ) = 6
>> write(2, "must be setuid root", 19must be setuid root) = 19
>> write(2, "\n", 1
>> and so gives no useful information. :-(
>> Can anyone offer advice in tracing down the source of my delay?
>> -- Pat
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the sudo-users