为什么node-ldapauth这么慢,即使在缓存时也是如此? [英] Why is node-ldapauth so slow, even when cached?
问题描述
我简单的express.js REST-API通过公司范围的LDAP服务器进行身份验证.我正在使用trentm的 node-ldapauth模块
My simple express.js REST-API does authentication through a company-wide LDAP-server. I'm using trentm's node-ldapauth module
实际的问题是:当我使用一个简单的函数直接将用户名和密码与提供的测试值进行比较时,浏览器中的响应大约在8到15毫秒的范围内完成.其中包括对MongoDB的调用,以获取数据(此测试不多).
The actual question is: when I use a simple function directly comparing the username and password to provided test-values, responses in the browser are finished in roughly the range of 8 to 15 ms. That includes a call to the MongoDB getting data (not much for this test).
如果我使用ldapauth.authenticate函数进行缓存({cache:true}),则需要80到100毫秒之间的时间.从代码中,我只能看到它检查了LRU缓存,并且第一个请求当然会慢一些,因为它实际上是在检查LDAP服务器,但随后的是?
If I use the ldapauth.authenticate function, which does caching ({cache: true}), it takes between 80 and 100ms. From the code I can only see that it checks an LRU-cache, and of course the first request would be slower because it's actually checking the LDAP server, but subsequent ones?
以下是该应用的一些摘要:
Here's a little snippet from the app:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var ldap = new LdapAuth({
url: config.ldap.url,
adminDn: config.ldap.adminDn,
adminPassword: config.ldap.adminPassword,
searchBase: config.ldap.userBase,
searchFilter: config.ldap.userFilter,
cache: true
});
app.enable('trust proxy');
app.use(express.json());
app.use(express.urlencoded());
app.use(checkUrl);
app.use(express.basicAuth(function(user, pass, callback) {
// if(user === 'samuel' && pass === 'supertest') {
// callback(null, {name: 'samuel'});
// } else {
// callback(new Error("Unauthorized"));
// }
ldap.authenticate(user, pass, function(err, user) {
if(err) {
console.log("LDAP auth error: %s %s", err, err.dn);
callback(err);
}
callback(err, user);
});
}));
任何提示都值得赞赏.
推荐答案
这是因为node-ldapauth在后台使用了bcrypt密码学上强而慢的哈希算法.您实际上希望发生这种情况.散列越慢,黑客恢复散列所需的时间就越长.以下链接显示了它的使用位置:
This is because under the covers, node-ldapauth is using bcrypt a cryptographically strong and slow hashing algorithm. You actually WANT this to happen. The slower the hash, the longer it takes a hacker to reverse your hashes. The following link shows you where its used:
https://github.com/trentm/node-ldapauth/blob/master/lib/ldapauth.js#L338
有关为何使用bcrypt的更多信息,请查看本文:
For more on why to use bcrypt checkout this article:
http://codahale.com/how-to-safely-store -a-password/
当然,作者在那篇文章中提到的一些观点受到了广泛的争论,但是为什么要使用慢速哈希算法的想法却很合理.
Of course, some of what the author mentions in that article is widely debated, but the idea behind why you want a slow hashing algorithm is sound.
这篇关于为什么node-ldapauth这么慢,即使在缓存时也是如此?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
