16 Feb
2008
16 Feb
'08
10:30 p.m.
Hello,
I would like to know if OpenSER supports some type of authentication credentials caching,
to improve the performance when a non-local authentication service (i.e. RADIUS) is used.
If it is not supported, are there any plans to include this functionality in future
versions?
Bests,
JB
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
18 Feb
18 Feb
11:44 a.m.
Hi John,
Credential caching is not support - for any of the backends (radius or
sql). As far as I know, there are no plans for caching yet... Mainly
because the fetching the passwd from DB is combined in a single query
with caller profile fetching - see the "load_credentials" module param
in auth_db module.
Regards,
Bogdan
John Barry wrote:
Hello,
I would like to know if OpenSER supports some type of authentication credentials caching,
to improve the performance when a non-local authentication service (i.e. RADIUS) is used.
If it is not supported, are there any plans to include this functionality in future
versions?
Bests,
JB
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
10:22 p.m.
Bogdan-Andrei Iancu writes:
Credential caching is not support - for any of the
backends (radius or
sql). As far as I know, there are no plans for caching yet... Mainly
because the fetching the passwd from DB is combined in a single query
with caller profile fetching - see the "load_credentials" module param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user
attributes as reply items. these attributes can change any time and
thus cannot be cached.
-- juha
11 p.m.
El Lunes, 18 de Febrero de 2008, Juha Heinanen escribió:
Bogdan-Andrei Iancu writes:
In fact I think that the only caching making sense would be directly in the
final backend (DB, Radius, LDAP..).
--
Iñaki Baz Castillo
Credential caching is not support - for any of
the backends (radius or
sql). As far as I know, there are no plans for caching yet... Mainly
because the fetching the passwd from DB is combined in a single query
with caller profile fetching - see the "load_credentials" module param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user
attributes as reply items. these attributes can change any time and
thus cannot be cached. 
11:56 p.m.
New subject: [OpenSER-Users] SNMPStats and graphing
Does anyone know of any Cacti templates for graphing the data from
SNMPStats? I couldn't find anything with Google...
Thanks in advance.
Michael Young
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.7/1285 - Release Date: 2/18/2008
5:50 AM
19 Feb
19 Feb
2:20 p.m.
Iñaki Baz Castillo schrieb:
El Lunes, 18 de Febrero de 2008, Juha Heinanen
escribió:
FYI: I think the original question refers to IMS, where the S-CSCF can
retrieve pre-calculated nonces and responses from the diameter server to
avoid diameter requests for each authentication.
klaus
Bogdan-Andrei Iancu writes:
In fact I think that the only caching making sense would be directly in the
final backend (DB, Radius, LDAP..). Credential caching is not support - for any of
the backends (radius or
sql). As far as I know, there are no plans for caching yet... Mainly
because the fetching the passwd from DB is combined in a single query
with caller profile fetching - see the "load_credentials" module param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user
attributes as reply items. these attributes can change any time and
thus cannot be cached.
21 Feb
21 Feb
12:56 a.m.
Hello all,
Thank you for your responses.
Indeed, I was thinking about a caching mechanisms similar to the one used in
IMS, as Klaus described in the previous post.
If I store in a memory structure the authentication credentials (i.e. user
and password) following some cache policy, I could use this structure to
check if the user exists and check his/her identity without having to
contact a remote database/radius server (where network latency typically is
a bottleneck). If the user credentials are not in the cache, then OpenSER
will contact the database/radius server to authenticate the user (normal
procedure).
Maybe I am oversimplifying the problem. Could you help me to understand
better why this is not possible?
Thanks,
JB
Klaus Darilion-2 wrote:
Iñaki Baz Castillo schrieb:
--
View this message in context:
http://www.nabble.com/Authentication-credentials-cache-tp15522750p15600883.…
Sent from the OpenSER Users Mailing List mailing list archive at Nabble.com.
El Lunes, 18 de Febrero de 2008, Juha Heinanen
escribió:
FYI: I think the original question refers to IMS, where the S-CSCF can
retrieve pre-calculated nonces and responses from the diameter server to
avoid diameter requests for each authentication.
klaus
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
Bogdan-Andrei Iancu writes:
In fact I think that the only caching making sense would be directly in
the
final backend (DB, Radius, LDAP..). Credential caching is not support - for any of
the backends (radius
or
sql). As far as I know, there are no plans for
caching yet... Mainly
because the fetching the passwd from DB is combined in a single query
with caller profile fetching - see the "load_credentials" module
param
in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user
attributes as reply items. these attributes can change any time and
thus cannot be cached.
6:49 a.m.
JB74 writes:
If I store in a memory structure the authentication
credentials (i.e. user
and password) following some cache policy, I could use this structure to
check if the user exists and check his/her identity without having to
contact a remote database/radius server (where network latency typically is
a bottleneck). If the user credentials are not in the cache, then OpenSER
will contact the database/radius server to authenticate the user (normal
procedure).
Maybe I am oversimplifying the problem. Could you help me to understand
better why this is not possible?
jb,
what you describe is, of course, possible (unless user changes his/her
password and cached credential don't work anymore) if your intention is
JUST to authenticate the user.
if you read openser the radius authentication, you'll notice that
authentication query may also return reply items that cause AVPs to be
setup. for me these reply items are extremely important, because they
contain all kinds of attributes associated with the authenticated user
and his/her uri, and, due to they changing nature, it is not possible to
cache them.
hope this explains why caching of credentials does not help to save the
radius query.
-- juha
7:25 a.m.
Caching authentication credentials surely speeds up the SIP digest
authentication process a little bit. At the same time, it introduces a
state synchronization issue because the credential database's state may
differ from the credential cache state. What happens if I change a
password in the database? Does it trigger a cache update?
In my opinion, these issues together with added code complexity outweigh
the slight speed improvements resulting from a credential cache.
Performance measurements with mysql and ldap backend have shown that
openser can handle a huge number of authenticated SIP requests (>300 cps
on dual xeon) without caching of auth credentials.
/Christian
JB74 wrote:
Hello all,
Thank you for your responses.
Indeed, I was thinking about a caching mechanisms similar to the one used in
IMS, as Klaus described in the previous post.
If I store in a memory structure the authentication credentials (i.e. user
and password) following some cache policy, I could use this structure to
check if the user exists and check his/her identity without having to
contact a remote database/radius server (where network latency typically is
a bottleneck). If the user credentials are not in the cache, then OpenSER
will contact the database/radius server to authenticate the user (normal
procedure).
Maybe I am oversimplifying the problem. Could you help me to understand
better why this is not possible?
Thanks,
JB
Klaus Darilion-2 wrote:
Iñaki Baz Castillo schrieb:
El Lunes, 18 de Febrero de 2008, Juha Heinanen
escribió:
FYI: I think the original question refers to
IMS, where the S-CSCF can
retrieve pre-calculated nonces and responses from the diameter server to
avoid diameter requests for each authentication.
klaus
_______________________________________________
Users mailing list
Users(a)lists.openser.org
http://lists.openser.org/cgi-bin/mailman/listinfo/users
Bogdan-Andrei Iancu writes:
> Credential caching is not support - for any of the backends (radius
or
> sql). As far as I know, there are no plans for caching yet... Mainly
> because the fetching the passwd from DB is combined in a single query
> with caller profile fetching - see the "load_credentials" module
param
> in auth_db module.
yes, when i radius authenticate a user, the reply contains lots of user
attributes as reply items. these attributes can change any time and
thus cannot be cached.
In fact I think that the only caching making sense would be
directly in
the
final backend (DB, Radius, LDAP..).
6124
days inactive
6129
days old
8 comments
8 participants
participants (8)
-
Bogdan-Andrei Iancu -
Christian Schlatter -
Iñaki Baz Castillo -
JB74 -
jh@tutpro.com -
John Barry
-
Klaus Darilion -
Michael Young