[BlueOnyx:17373] Re: Slow Login phase

[Michael Stauber]

Hi Gustavo,

> Ignore my "find" observation. Apparently, nothing to do with it.

Yeah, you had me quite worried there, as that certainly would have not
been normal to run.

When you login as "admin" it might take a bit longer as the newsfeed
from www.blueonyx.it is parsed. However: That code has a timeout of 5
seconds programmed in. So if www.blueonyx.it doesn't react within 5
seconds, the page will still render, but without the news.

So I think we can ditch the idea that the GUI is the main contributing
factor to the slow logins. The problem is probably deeper and that's
where I'd start the investigations.

The login works like this: Once you're on the login form and submit
username and password, then the GUI contacts CCEd via a socket operation
and issues the following command:

AUTH username "password"

CCEd then first checks if the User exists in the CODB database. For this
it runs a "FIND username" to find out if that user has an CODB object in
the CODB database.

If so, CCEd will use PAM to verify the username and password against the
PAM database.

If both checks succeed, CCEd will respond to the GUI over the Unix
socket and will report something like this:

109 SESSIONID AdY...GZjDn
201 O

The username and session ID will then be stored in a browser cookie and
will be used in all subsequent authentications between browser and GUI.
Until the login is voluntarily ended with a logout, or the session ID
expires due to inactivity (26 minutes standard, 60 minutes as possible
maximum).

If the login user doesn't exist in CODB or the PAM authentication
failed, then the response is just a very brief "401 FAIL" instead.

Now you can easily troubleshoot this login phase on the command line
without using the GUI:

Login by SSH as "admin" and "su -" to gain root access. Then run this
command: /usr/sausalito/bin/cceclient

It will give you a CSCP prompt like this:

[root at 5208r ~]# /usr/sausalito/bin/cceclient
100 CSCP/0.99
200 READY

On that enter the following:

AUTH admin "password"

Where "password" is your admin-password. Check how long it takes until
you get the "109 SESSIONID ..." response. Compare that with how long it
takes for the GUI-login. It should not take considerably longer.

If the AUTH via cceclient is already *very* slow, then we can assume
that one or two things might be amiss:

1.) The CODB database might be a bit corrupted and it takes too long to
run the 'FIND User name="admin"' command to look up the login user in CODB.

... and/or ...

2.) The PAM database or PAM login procedure might be corrupted. On
BlueOnyx we use /etc/passwd, /etc/shadow for logins, but via roundtrips
through the PAM mechanism. It is possible that some third party software
(not by BlueOnyx and not from the shop) might have messed with PAM.

In that case it would be necessary to troubleshoot the PAM layer to see
what's there and how it is configured in your case.

In any case: If PAM is the culprit, then all other logins (SMTP-auth,
Dovecot, FTP) also should take considerably longer than normal. Not just
the GUI.

-- 
With best regards

Michael Stauber