The authrate command measures the rate at which a given bind DN can authenticate to an LDAP directory. As with all measures of performance, results depend on many factors, including what options you pass to the authrate command, and also how the directory service itself is tuned.
The command uses LDAP v3, and cannot be used to authenticate to an LDAP v2 directory not supporting LDAP v3.
The authrate command supports the following options:
Display the specified number of results messages before exiting. Results messages appear by default as output on standard out, similar to the following:
Avg r=2584.00/thr (516.80/sec), total= 7752
This shows output for three threads authenticating for five seconds. The average bind rate per thread is 516.80 per thread per second for the interval measured. The total shown for all threads is 7752.
Default is to continue iterating until the command is interrupted.
Use the specified bind DN to authenticate to the directory.
If the bind DN is not specified, the authrate command attempts anonymous authentication.
You can use %d and %s placeholders in the —D option in the authrate command. Refer to Extended Description for more details.
Connect to the directory on the specified host.
Enclose IPv6 addresses in brackets () as described in RFC 2732.
Default is to connect to the local host on the loopback address, 127.0.0.1.
Use the file specified to read bind DNs and passwords at random.
Display results each specified number of seconds.
Default is to display results every 5 seconds.
Keep connections open, measuring only the time required to perform the bind operation.
Default is to measure both the bind and unbind time as part of the authentication sequence.
Perform no more than the specified number of binds per thread.
Default is for each thread to continue iterating until the command is interrupted.
Connect to the directory on the specified port.
Default is to connect to the default simple authentication port for LDAP, 389.
Run in quiet mode, not displaying results.
Default is to display results every 5 seconds, which you can adjust using the -j option.
Use the specified maximum to determine the range for random numbers replacing %d formatting specifications when authenticating with random bind DNs and passwords.
When you use this option twice, the first occurrence generates random numbers in the range [0,maxRand1–1] for the first %d, the second [1,maxRand2] for the second %d.
Use the specified seed, an unsigned int, for random number generation.
Default seed is 0.
Use the specified number of the threads to connect to the server.
Default is to use one thread.
Do not unbind as part of the authentication sequence.
Default is to unbind as part of the authentication sequence.
Display verbose output.
Read the bind password from the specified file.
Use the specified bind password to authenticate to the directory.
Prompt for the bind password so it does not appear on the command line or in a file.
The authrate command repeatedly initializes a connection and binds to a directory server, without performing any other operation. Threads may be configured to keep open connections and perform LDAP binds repeatedly. The command-line options let you specify the bind credentials.
The command uses LDAP v3, and cannot be used to authenticate to an LDAP v2 directory not supporting LDAP v3. Furthermore, the authrate command uses simple authentication, not secure binding.
By default, the authrate command attempts to bind indefinitely, displaying results periodically, and displaying any errors encountered as well without interrupting operation.
To simulate real use conditions and reduce any artifacts due to the repetitive nature of the tests, the authrate command provides a mechanism for generating a random bind DN for authentication.
Include randomly generated numbers by specifying %d and %s placeholders in the bind DN and the bind password. These placeholders are then replaced according to the following rules:
Replace this placeholder with random integer values depending on the maxRand parameter to the -r option.
The -r option may be used at most two times to generate random bind DNs. When used in the bind DN, replacement values for the %d placeholder range over [0,maxRand1-1] for the first use of the -r option, and over [1,maxRand2] for the second.
The %d may be used up to eight times to generate a random password. When used in the bind password, replacement values for the %d placeholder range over [0,maxRand1-1] for each use of the -r option.
When the the number of %d placeholders exceeds the number of -r options, only one value for each use of the -r option is generated. Each %d placeholder is replaced with a generated value.
Replace this placeholder with random strings from the file specified using the -i option.
Replacement values for this placeholder are randomly selected lines of the file specified.
The authrate command requires that you apply the following rules for substitutions, displaying an error message when the used incorrectly:
Use only one type of placeholder, either %d or %s, per invocation of the authrate command.
Use %%d and %%s to specify literal strings %d and %s, respectively.
In order to use this random authentication mechanism, you must populate your directory accordingly. For example, you can measure the authentication rate using the following command:
$ authrate -D "uid=test%d,ou=test,dc=example,dc=com" -w "auth%d%d" -r 100
In order for the authrate command to bind effectively, your directory must contain entries corresponding to the following LDIF excerpt:
dn: uid=test0,ou=test,dc=example,dc=com userPassword: auth00 dn: uid=test1,ou=test,dc=example,dc=com userPassword: auth11 dn: uid=test2,ou=test,dc=example,dc=com userPassword: auth22 … dn: uid=test10,ou=test,dc=example,dc=com userPassword: auth1010 … dn: uid=test99,ou=test,dc=example,dc=com userPassword: auth9999
Examples in this section use the following conventions:
The authrate command is found in a directory present in the PATH used for the examples.
The directory server is located on a system named host.
The directory has been configured to support anonymous access for search and read. Therefore, you do not have to specify bind information.
The directory server listens on port 389, the default for non-SSL connections.
The following command performs anonymous binds until it has displayed five results messages. Notice that each line concerns only the elapsed interval.
$ authrate -C 5 Avg r=1952.00/thr (390.40/sec), total= 1952 Avg r=1937.00/thr (387.40/sec), total= 1937 Avg r=1938.00/thr (387.60/sec), total= 1938 Avg r=1921.00/thr (384.20/sec), total= 1921 Avg r=1921.00/thr (384.20/sec), total= 1921 All threads exited
Notice also that a result message provides the following items of information:
The average rate of authentication per thread of execution
The average rate of authentication per second
The total number of authentication operations performed during the interval the results message concerns
The following command performs anonymous binds until it has displayed five results messages, using three threads to bind. Notice that each line concerns only the elapsed interval.
$ authrate -C 5 -t 3 Avg r= 300.00/thr (180.00/sec), total= 900 Avg r= 300.00/thr (180.00/sec), total= 900 Avg r= 299.67/thr (179.80/sec), total= 899 Avg r= 298.00/thr (178.80/sec), total= 894 Avg r= 299.33/thr (179.60/sec), total= 898 All threads exited
Here the average per thread, approximate 300 binds, is shown for each interval of three seconds. The averages given in parentheses, approximately 180 per second, represent the average bind rate over the interval. The totals shown represent the total number of binds over the interval.
The following command applies the mechanism described in Random Bind DN Substitution, performing full authentication (open, bind, unbind, close) with randomly generated bind DNs and passwords.
$ authrate -D "uid=test%d,ou=test,dc=example,dc=com" -w "auth%d%d" -r 100 -C 5 Avg r=1301.00/thr (260.20/sec), total= 1301 Avg r=1307.00/thr (261.40/sec), total= 1307 Avg r=1281.00/thr (256.20/sec), total= 1281 Avg r=1316.00/thr (263.20/sec), total= 1316 Avg r=1313.00/thr (262.60/sec), total= 1313 All threads exited
The following command applies the mechanism described in Random Bind DN Substitution, keeping the connection open and binding repeatedly with randomly generated bind DNs and passwords.
$ authrate -D "uid=test%d,ou=test,dc=example,dc=com" -w "auth%d%d" -r 100 -k -C 5 Avg r=2584.00/thr (516.80/sec), total= 2584 Avg r=2603.00/thr (520.60/sec), total= 2603 Avg r=2592.00/thr (518.40/sec), total= 2592 Avg r=2613.00/thr (522.60/sec), total= 2613 Avg r=2560.00/thr (512.00/sec), total= 2560 All threads exited
The authrate command returns the following exit status codes.
An error occurred.
See attributes(5) for descriptions of the following attributes:
Zip distribution only