Subject: Re: integrating PAM
To: Ken Hornstein <email@example.com>
From: None <firstname.lastname@example.org>
Date: 01/23/2003 11:38:02
On Thursday 23 January 2003 10:33, Ken Hornstein wrote:
> >All PAM implementations I've seen are needlessly complex and difficult to
> >modify and use in a large-ish environment. On a system with 40,000 busy
> >user accounts, every PAM I've seen bogs down to the point where logins can
> >time out before the PAM auth returns. Compiling out PAM support is kind of
> >a pain.
> So, what exactly was the back-end authentication system that PAM was
> using in this case? I mean, I'm not saying PAM is perfect, but it's
> really just a shim to some other kind of authentication system. I have
> a hard time believing, for example, a PAM module that implemented
> the traditional Unix /etc/passwd authentication would really impact
> performace at all. And if it was something like LDAP ... is it PAM
> that was at fault, or LDAP?
The back-end auth system was just normal unix /etc/passwd /etc/shadow PAM
module. Pulling out PAM support from login, ftp, and so on brought the system
back to usability for me. Seems there was a kind of threshold of the number
of users, over which the system became unusable.
I realize that it seems unbelievable, but whatever overhead PAM was sucking
down was enough to choke down a system with 40,000 or so user accounts
whereas normal auth flew.
I had to pare down the PAM modules involved in a login to just the unix
auth--but at that point what was the point of having PAM in the way at all?
It was still dog slow but at least I was able to login again. Mind you this
was an older PAM running on Red Hat, so hopefully things have changed. I
doubt it, but maybe.
The point is that that implementation sucked ass and I'm hoping we aren't
being led down that same garden path.