Slow response time for GSSAPI/Kerberos SASL bind operations.

Solution Verified - Updated -

Environment

Red Hat Directory Server (RHDS)

Issue

When LDAP clients perform SASL bind operations against Directory server the first SASL bind response from the server can get delayed, with access log reflecting a high etime for corresponding bind operation result.

Resolution

The host-based service principals FQDNs can be added directly to /etc/hosts to avoid DNS lookups and speed up name resolution.

Sometimes, however, it might be impractical and difficult to maintain over time. In such situations the Service principal canonicalization settings can also be changed in the [libdefaults] section of the Kerberos configuration /etc/krb5.conf via dns_canonicalize_hostname option which can be either set to false to disable canonicalization using DNS or to fallback to only enable it for ticket requests that fail because the service principal is unknown.

More information and details can be found in the MIT Kerberos documentation

Root Cause

The MIT krb5 client library does canonicalization of host-based service principals by default. This is accomplished by performing forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using getaddrinfo(). This will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. Then a reverse lookup is also performed on the first returned Internet address using getnameinfo(), finding the name associated with the PTR record. These lookup operations could, depending on the name service resolution response time, affect LDAP SASL bind response time when GSSAPI/Kerberos mechanism is used.

Diagnostic Steps

Here the high etime of the first SASL bind response can be spotted as the issue indicator.

/var/log/dirsrv/slapd-EXAMPLE/access:

[DATETIME +0200] conn=890 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[DATETIME +0200] conn=890 op=0 RESULT err=14 tag=97 nentries=0 wtime=0.000223474 optime=5.051430614 etime=5.051652846, SASL bind in progress

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.