[BlueOnyx:17375] Re: Slow Login phase

Gustavo Silva beatwiz at gmail.com
Thu Mar 26 18:32:49 -05 2015


Many thanks for the reply Michael,

I'll try that and report back if needed.
Gustavo

2015-03-26 23:23 GMT+00:00 Michael Stauber <mstauber at blueonyx.it>:

> Hi Gustavo,
>
> > Ignore my "find" observation. Apparently, nothing to do with it.
>
> Yeah, you had me quite worried there, as that certainly would have not
> been normal to run.
>
> When you login as "admin" it might take a bit longer as the newsfeed
> from www.blueonyx.it is parsed. However: That code has a timeout of 5
> seconds programmed in. So if www.blueonyx.it doesn't react within 5
> seconds, the page will still render, but without the news.
>
> So I think we can ditch the idea that the GUI is the main contributing
> factor to the slow logins. The problem is probably deeper and that's
> where I'd start the investigations.
>
> The login works like this: Once you're on the login form and submit
> username and password, then the GUI contacts CCEd via a socket operation
> and issues the following command:
>
> AUTH username "password"
>
> CCEd then first checks if the User exists in the CODB database. For this
> it runs a "FIND username" to find out if that user has an CODB object in
> the CODB database.
>
> If so, CCEd will use PAM to verify the username and password against the
> PAM database.
>
> If both checks succeed, CCEd will respond to the GUI over the Unix
> socket and will report something like this:
>
> 109 SESSIONID AdY...GZjDn
> 201 O
>
> The username and session ID will then be stored in a browser cookie and
> will be used in all subsequent authentications between browser and GUI.
> Until the login is voluntarily ended with a logout, or the session ID
> expires due to inactivity (26 minutes standard, 60 minutes as possible
> maximum).
>
> If the login user doesn't exist in CODB or the PAM authentication
> failed, then the response is just a very brief "401 FAIL" instead.
>
> Now you can easily troubleshoot this login phase on the command line
> without using the GUI:
>
> Login by SSH as "admin" and "su -" to gain root access. Then run this
> command: /usr/sausalito/bin/cceclient
>
> It will give you a CSCP prompt like this:
>
> [root at 5208r ~]# /usr/sausalito/bin/cceclient
> 100 CSCP/0.99
> 200 READY
>
> On that enter the following:
>
> AUTH admin "password"
>
> Where "password" is your admin-password. Check how long it takes until
> you get the "109 SESSIONID ..." response. Compare that with how long it
> takes for the GUI-login. It should not take considerably longer.
>
> If the AUTH via cceclient is already *very* slow, then we can assume
> that one or two things might be amiss:
>
> 1.) The CODB database might be a bit corrupted and it takes too long to
> run the 'FIND User name="admin"' command to look up the login user in CODB.
>
> ... and/or ...
>
> 2.) The PAM database or PAM login procedure might be corrupted. On
> BlueOnyx we use /etc/passwd, /etc/shadow for logins, but via roundtrips
> through the PAM mechanism. It is possible that some third party software
> (not by BlueOnyx and not from the shop) might have messed with PAM.
>
> In that case it would be necessary to troubleshoot the PAM layer to see
> what's there and how it is configured in your case.
>
> In any case: If PAM is the culprit, then all other logins (SMTP-auth,
> Dovecot, FTP) also should take considerably longer than normal. Not just
> the GUI.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>



-- 
Um abraço,
Gustavo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150326/e690b744/attachment.html>


More information about the Blueonyx mailing list