[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Performance of SGI nsd with LDAP

To: openldap-general@OpenLDAP.org
Subject: Re: Performance of SGI nsd with LDAP
From: Thomas Suiter <tsuiter@midusa.net>
Date: Mon, 19 Apr 1999 12:12:17 -0500 (CDT)
In-reply-to: <s8jd811qeh1.fsf@pollux.rz.uni-sb.de>

On 19 Apr 1999, Jan Iven wrote:

> Date: 19 Apr 1999 09:03:22 +0200
> From: Jan Iven <j.iven@rz.uni-sb.de>
> To: gomez@cthulhu.engr.sgi.com
> Cc: lukeh@xedoc.com.au, tsuiter@midusa.net, openldap-general@OpenLDAP.org
> Subject: Re: Performance of SGI nsd with LDAP
> 
> Juan Carlos Gomez <gomez@cthulhu.engr.sgi.com> writes:
> 
> >  Luke,
> > 
> > I followed the drafts for RFC2037...it must comply with the final version. If
> > not this can
> > be configured through an ASCII file. I tranferred this task  to someone else
> > here @ SGI
> > before the RFC came out and I'm not sure if he sync'ed what we distribute with
> > the
> > RFC....hopefully he did!.
> 
> Last time I had a look (IRIX 6.5.3) the standard config file used
> something close to rfc2307, but with "POSIX" as a prefix to almost
> everything (POSIXUIDNUMBER, POSIXPRIMARYGIDNUMBER,....)
> 
> Besides, it didn't understand the {crypt}xxxxxxxx Syntax for passwords,
> which means that you can either use that attrib to have users login to
> the system (without {crypt}), or you can use it to authenticate to the
> LDAP server (with {crypt}), but not both.
> 
> The (undocumented) "security"/"cipher" switches in the config file
> didn't work as expected, either - I was unable to connect to a
> SSL-proxied (sslwrap) OpenLDAP-Server (Besides, there doesn't seem to
> be an option to list "trusted" Servers).
> 
> Perhaps you coould look into this or forward it.

Been a busy morning so I'll wrap all my responses into just one.  

Things are about as RFC compliant as they get, but there are some
differences.  I use shadow passwords so I renamed the normal /etc/passwd
password field to unixpassword so that normal users wouldn't have access
to them.  I removed all of the "POSIX" out from the front of them, so
they'd conform a bit better with the RFC.

The {crypt} one was a bit of a wild one for me too, took some head
scratching to figure it out (sees the user, returns the password, doesn't 
auth...). I just import everyone's already encrypted password as cleartext
and everything works (breaks other programs, but it works for nsd).  

I've been trying to find some info on the security switches too in the
config file, if anybody has any idea on how those things are formated drop
me a line.

I've been authenticating people just fine here for ~1-2months in my
testing phase, but the performance is an order of magnitude less (~4
times slower).  I was hopeing for increased performance over a flat text
passwd & shadow file, but I am not getting it and I'm trying to find where
to point the finger.

Thanks
	Thomas Suiter

____________________________________________________________________________

	Thomas P. Suiter		|	       Systems Administrator
	tsuiter@midusa.net		|	   NetSpace Internet Service
	Fax: (785) 825-5873		|		      (785) 823-3565
____________________________________________________________________________

References:
- Re: Performance of SGI nsd with LDAP
  - From: Jan Iven <j.iven@rz.uni-sb.de>

Prev by Date: Re: How to add an entry
Next by Date: DN maxlength
Index(es):
- Chronological
- Thread