[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Optimizing OpenLDAP pam authentication (it's very slow)

To: "'Matthew Gregg'" <greggmc@musc.edu>
Subject: RE: Optimizing OpenLDAP pam authentication (it's very slow)
From: "Rechenberg, Andrew" <ARechenberg@shermanfinancialgroup.com>
Date: Thu, 31 May 2001 16:26:34 -0400
Cc: openldap-software@OpenLDAP.org

Actually the "nss_base_passwd" and "nss_base_group" configuration options
tell pam_ldap and nss_ldap where to look for the appropriate objects.  There
are other configuration options that you "AND" with the search filter, but
the "nss_base_*" options just tell the modules where to look to apply that
filter.

If you tell the modules where to look for the appropriate object, it should
speed up logins noticeably.  If all of your objects lie in
ou=something,ou=people,dc=my,dc=com then use 

nss_base_passwd		ou=something,ou=people,dc=my,dc=com?one

in your /etc/ldap.conf file.

You're telling it EXACTLY where to look instead of doing a subtree search
like dc=my,dc=com?sub

I only wish there were a way to have multiple RFC2307bis naming contexts in
that file, because in my situation, users are all over the tree and if they
are in a container at the bottom of the tree alphabetically, then it takes
longer to do auth's and such.  Active Directory doesn't support object
aliasing so I can't do that either :\

Oh well, try the nss_base_* config option; it should help speed things up.
Hope this helps.

Regards,
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg@shermanfinancialgroup.com
Phone: 513.677.7809
Fax:   513.677.7838

-----Original Message-----
From: Matthew Gregg [mailto:greggmc@musc.edu]
Sent: Thursday, May 31, 2001 11:43 AM
To: GOMBAS Gabor
Cc: openldap-software@OpenLDAP.org
Subject: Re: Optimizing OpenLDAP pam authentication (it's very slow)

I've seen that and tried that.  What that does is "and" your filter
with the default filter.  How to change/override the default filter would be
the trick. Right?

On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
>  
> > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > It's not something that I can configure, without some code changes.
> 
> Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> (the nss_base_* parameters).
> 
> Gabor
> 

-- 
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars

Follow-Ups:
- Re: Optimizing OpenLDAP pam authentication (it's very slow)
  - From: Matthew Gregg <greggmc@musc.edu>

Prev by Date: Re: Optimizing OpenLDAP pam authentication (it's very slow)
Next by Date: Referral questions
Index(es):
- Chronological
- Thread