Univention Bugzilla – Bug 38725
Enable auth caching in Dovecot
Last modified: 2015-07-09 18:14:57 CEST
Dovecot can cache authentication credentials for [un]successful logins. It saves time when going through the PAM stack as well as when requesting user-information from LDAP. Unfortunately caching of the userdb query doesn't work - will have to investigate. But the PAM caching works and saves a lot of time: time ./30_imap_server_with_hundreds_of_connections -f Without caching: real 1m23.086s user 0m1.932s sys 0m0.560s With caching: real 0m34.876s user 0m1.868s sys 0m0.488s user+sys are the same, because the CPU time is saved in PAM, not in the Dovecot process.
Commit 61367 adds auth caching support. TTL is 5 minutes for positive and negative cache entries, cache size is 100k, that should be enough for ~400.000 entries. TTL and cache size are currently not configurable. Could be done with UCRVs easily if desired/requested.
Good news: with some testing I found out, that userdb caching does actually work, just not as often as I had expected.
I think we should reduce the negative caching ttl to 1min or less. If a new account is created but used "too early", the negative cache prevents a successful login for 5 minutes.
Commit 61462 reduces negative auth caching ttl to 1min.
Values seem to be ok for now. On my test machine, the test script returned the following values: 1500 IMAP connections are OK (took 8.766399 seconds) 1500 IMAP logins are OK (took 33.926131 seconds) 1500 IMAP logouts are OK (took 1.534729 seconds) Memory Used = 0.434MB per connection (Warning: only rough estimation) Current values: root@slave22b:/etc/dovecot/conf.d# grep auth_cache_ 10-auth.conf auth_cache_size = 100k auth_cache_ttl = 5 mins auth_cache_negative_ttl = 1 mins
<http://errata.univention.de/ucs/4.0/237.html>