I’ve been experimenting with the WebExternalAuth in RT and have noticed
something a little odd.
We are using an external authentication program for all our Apache
authentication by using mod_auth_external. What I have noticed is that
since switching RT to using WebExternalAuth my external auth program is
called every time a URL is requested from RT. This is posing a serious
performance overhead as the auth lookup takes several seconds.
Is there no way to plug in an external authenticator program into RT and
then take advantage of its cookies for performance reasons?
I’ve been experimenting with the WebExternalAuth in RT and have noticed
something a little odd.
We are using an external authentication program for all our Apache
authentication by using mod_auth_external. What I have noticed is that
since switching RT to using WebExternalAuth my external auth program is
called every time a URL is requested from RT. This is posing a serious
performance overhead as the auth lookup takes several seconds.
I believe that the web browser is making those requests each time it
loads a page in the directory tree where you have auth defined in apache.
We are using an external authentication program for all our Apache
authentication by using mod_auth_external. What I have noticed is
that since switching RT to using WebExternalAuth my external auth
program is called every time a URL is requested from RT. This is
posing a serious performance overhead as the auth lookup takes several
seconds.
This is the correct behavior; because the web is stateless, every
transaction (i.e., every page load) has to be authenticated. RT’s
regular auth mechanism is fast; it’s just a db lookup, many of which
happen for each request using cached database connections.
If the speed of the external lookups is a problem, you will need to
create a small app that sits between the server that needs the
authentication (the one running RT) and the piece doing the
authenticating, that can do credentials-caching.
This might be one of those problems that can be solved by throwing
hardware at it, though.
(darren)
Eternal nothingness is fine if you happen to be dressed for it.
– Woody Allen
You’ll want to use a caching mechanism around your external auth mechanism.
For instance, I use a combination of Apache::AuthenCache with
Apache::AuthenLDAP.
Thanks,
Christian
Christian Gilmore
Technology Leader
GeT WW Global Applications Development
IBM Software Group
I’ve been experimenting with the WebExternalAuth in RT and
have noticed
something a little odd.
We are using an external authentication program for all our Apache
authentication by using mod_auth_external. What I have
noticed is that
since switching RT to using WebExternalAuth my external auth
program is
called every time a URL is requested from RT. This is posing
a serious
performance overhead as the auth lookup takes several seconds.
Is there no way to plug in an external authenticator program
into RT and
then take advantage of its cookies for performance reasons?
You’ll want to use a caching mechanism around your external auth
mechanism. For instance, I use a combination of Apache::AuthenCache
with Apache::AuthenLDAP.
I see from the net that you wrote Apache::AuthenLDAP. I’m actually doing
LDAP auth, but we are using an Exchange 5.5 server to retrieve the data, and
mod_auth_ldap couldn’t talk to it. In the end we resorted to
mod_auth_external and wrote a script around Net::LDAP to do it.
As our LDAP server is 170 miles away up a frame relay link the overhead of
invoking mod_auth_external and then doing the lookup is what causes our
delay.
I’ll investigate later…
Thanks,
Neil.
Neil Bingham, Software Team Leader, Engineering Tools Group.
Pace Micro Technology plc Tel: +44 (0) 1223 518574
645 Newmarket Road, Fax: +44 (0) 1223 518526
Cambridge, United Kingdom, CB5 8PB WWW: http://www.pace.co.uk/
You’ll want to use a caching mechanism around your external auth
mechanism. For instance, I use a combination of Apache::AuthenCache
with Apache::AuthenLDAP.
I see from the net that you wrote Apache::AuthenLDAP. I’m
actually doing
LDAP auth, but we are using an Exchange 5.5 server to
retrieve the data, and
mod_auth_ldap couldn’t talk to it. In the end we resorted to
mod_auth_external and wrote a script around Net::LDAP to do it.
As our LDAP server is 170 miles away up a frame relay link
the overhead of
invoking mod_auth_external and then doing the lookup is what
causes our
delay.
I’ll investigate later…
Thanks,
Neil.
–
Neil Bingham, Software Team Leader, Engineering Tools Group.
Pace Micro Technology plc Tel: +44 (0) 1223 518574
645 Newmarket Road, Fax: +44 (0) 1223 518526
Cambridge, United Kingdom, CB5 8PB WWW: http://www.pace.co.uk/
You could throw Cache::Cache around your external program that uses
Net::LDAP, effectively embedding the cache into your external auth package.
Many thanks for this excellent suggestion. I’m seeing around a 30%
performance improvement in the execution of our mod_auth_external script
using Cache::FileCache
Neil.
Neil Bingham, Software Team Leader, Engineering Tools Group.
Pace Micro Technology plc Tel: +44 1223 518574
645 Newmarket Road, Fax: +44 1223 518526
Cambridge, United Kingdom, CB5 8PB WWW: http://www.pace.co.uk/