Subject: Re: integrating PAM
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: None <netbsd99@sudog.com>
List: current-users
Date: 01/23/2003 11:38:02
On Thursday 23 January 2003 10:33, Ken Hornstein wrote:
> >All PAM implementations I've seen are needlessly complex and difficult to 
> >modify and use in a large-ish environment. On a system with 40,000 busy
> >user accounts, every PAM I've seen bogs down to the point where logins can
> >time out before the PAM auth returns. Compiling out PAM support is kind of
> >a pain.
> 
> So, what exactly was the back-end authentication system that PAM was
> using in this case? I mean, I'm not saying PAM is perfect, but it's
> really just a shim to some other kind of authentication system.  I have
> a hard time believing, for example, a PAM module that implemented
> the traditional Unix /etc/passwd authentication would really impact
> performace at all.  And if it was something like LDAP ... is it PAM
> that was at fault, or LDAP?

Hello Ken,

The back-end auth system was just normal unix /etc/passwd /etc/shadow PAM 
module. Pulling out PAM support from login, ftp, and so on brought the system 
back to usability for me. Seems there was a kind of threshold of the number 
of users, over which the system became unusable.

I realize that it seems unbelievable, but whatever overhead PAM was sucking 
down was enough to choke down a system with 40,000 or so user accounts 
whereas normal auth flew.

I had to pare down the PAM modules involved in a login to just the unix 
auth--but at that point what was the point of having PAM in the way at all? 
It was still dog slow but at least I was able to login again. Mind you this 
was an older PAM running on Red Hat, so hopefully things have changed. I 
doubt it, but maybe.

The point is that that implementation sucked ass and I'm hoping we aren't 
being led down that same garden path.