Slow response time for GSSAPI/Kerberos SASL bind operations.
Environment
Red Hat Directory Server (RHDS)
Issue
When LDAP
clients perform SASL
bind operations against Directory server the first SASL
bind response from the server can get delayed, with access log reflecting a high etime
for corresponding bind operation result.
Resolution
The host-based service principals FQDN
s can be added directly to /etc/hosts
to avoid DNS lookups and speed up name resolution.
Sometimes, however, it might be impractical and difficult to maintain over time. In such situations the Service principal canonicalization settings can also be changed in the [libdefaults]
section of the Kerberos configuration /etc/krb5.conf
via dns_canonicalize_hostname
option which can be either set to false
to disable canonicalization using DNS or to fallback
to only enable it for ticket requests that fail because the service principal is unknown.
More information and details can be found in the MIT Kerberos documentation
Root Cause
The MIT krb5
client library does canonicalization of host-based service principals by default. This is accomplished by performing forward resolution by looking up the IPv4
and/or IPv6
addresses of the hostname using getaddrinfo()
. This will typically add a domain suffix to the hostname if needed, and follow CNAME
records in the DNS. Then a reverse lookup is also performed on the first returned Internet address using getnameinfo()
, finding the name associated with the PTR
record. These lookup operations could, depending on the name service resolution response time, affect LDAP SASL
bind response time when GSSAPI
/Kerberos mechanism is used.
Diagnostic Steps
Here the high etime
of the first SASL
bind response can be spotted as the issue indicator.
/var/log/dirsrv/slapd-EXAMPLE/access:
[DATETIME +0200] conn=890 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[DATETIME +0200] conn=890 op=0 RESULT err=14 tag=97 nentries=0 wtime=0.000223474 optime=5.051430614 etime=5.051652846, SASL bind in progress
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments