Bug 38725

Summary: Enable auth caching in Dovecot
Product: UCS Reporter: Daniel Tröder <troeder>
Component: Mail - DovecotAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Sönke Schwardt-Krummrich <schwardt>
Severity: normal    
Priority: P5 CC: schwardt, walkenhorst
Version: UCS 4.0   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on:    
Bug Blocks: 34839    

Description Daniel Tröder univentionstaff 2015-06-18 12:35:12 CEST 
Dovecot can cache authentication credentials for [un]successful logins. It saves time when going through the PAM stack as well as when requesting user-information from LDAP.
Unfortunately caching of the userdb query doesn't work - will have to investigate. But the PAM caching works and saves a lot of time:

time ./30_imap_server_with_hundreds_of_connections -f

Without caching:
 real	1m23.086s
 user	0m1.932s
 sys	0m0.560s

With caching:
 real	0m34.876s
 user	0m1.868s
 sys	0m0.488s

user+sys are the same, because the CPU time is saved in PAM, not in the Dovecot process.
Comment 1 Daniel Tröder univentionstaff 2015-06-18 12:52:21 CEST 
Commit 61367 adds auth caching support.

TTL is 5 minutes for positive and negative cache entries, cache size is 100k, that should be enough for ~400.000 entries.

TTL and cache size are currently not configurable. Could be done with UCRVs easily if desired/requested.
Comment 2 Daniel Tröder univentionstaff 2015-06-18 17:39:55 CEST 
Good news: with some testing I found out, that userdb caching does actually work, just not as often as I had expected.
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-06-24 13:47:38 CEST 
I think we should reduce the negative caching ttl to 1min or less. If a new account is created but used "too early", the negative cache prevents a successful login for 5 minutes.
Comment 4 Daniel Tröder univentionstaff 2015-06-24 16:58:04 CEST 
Commit 61462 reduces negative auth caching ttl to 1min.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-07-02 17:57:16 CEST 
Values seem to be ok for now. On my test machine, the test script returned the following values:
1500 IMAP connections are OK (took 8.766399 seconds)
1500 IMAP logins are OK (took 33.926131 seconds)
1500 IMAP logouts are OK (took 1.534729 seconds)
Memory Used = 0.434MB per connection (Warning: only rough estimation)

Current values:
root@slave22b:/etc/dovecot/conf.d# grep auth_cache_ 10-auth.conf
auth_cache_size = 100k
auth_cache_ttl = 5 mins
auth_cache_negative_ttl = 1 mins
Comment 6 Janek Walkenhorst univentionstaff 2015-07-09 18:14:57 CEST 
<http://errata.univention.de/ucs/4.0/237.html>