Authentication is slow due do slow initialization of /var/lib/one/remotes/auth/ldap/authenticate. It takes >700ms to process all the require statements in the included libs. Once the process is started, the authentication is performed fast (LDAP, AD).
Because /var/lib/one/remotes/auth/ldap/authenticate is forked by /usr/lib/one/mads/one_auth_mad.rb for each authentication requests, users are waiting 700ms whenever they authenticate before anything useful actually starts happening.
So there are actually two issues:
- slow start of var/lib/one/remotes/auth/ldap/authenticate
- multiple submits of the login form are possible.
Ubuntu Server 20.4
Steps to reproduce:
- Go to login page in a browser
- Enter credentials
- Press Enter and keep it pressed for a few seconds
Several POST requests are sent by the browser to Sunstone.
Only one request is sent. E.g. form is disabled as soon as the user submits the form. Form will need to be re-enabled if authentication fails or possibly for MFA.
Steps to reproduce:
- Full authentication exactly as forked by /usr/lib/one/mads/one_auth_mad.rb, providing valid input to stdin:
echo -en "<AUTHN>\n <USERNAME>username</USERNAME>\n <PASSWORD>dummy</PASSWORD>\n <SECRET>ldappassword</SECRET>\n</AUTHN>" | ruby /var/lib/one/remotes/auth/ldap/authenticate
Simply start it without providing any imput: time bash -c “echo | /var/lib/one/remotes/auth/ldap/authenticate &>/dev/null”
Strace will hint that it attempts to open a ton of files. A detailed look revealed vast majority of them are various ruby libraries. Even if valid input is provided to stdin, the outcome looks the same.
echo | strace -c /var/lib/one/remotes/auth/ldap/authenticate Invalid XML input % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 51.75 0.084790 3 24554 23248 stat 29.07 0.047640 3 13020 737 lstat
Initialization of the /var/lib/one/remotes/auth/ldap/authenticate should be much faster. Load less libs if possible?
Or prefork a pool of /var/lib/one/remotes/auth/ldap/authenticate to have them immediately ready when authentication requests come.