Re: openldap, pam_ldap, accounts

[Pekka Aleksi Knuutila <zur-ldap@edu.lahti.fi>]

On Mon, Dec 06, 1999 at 11:06:17AM +0000, John P. Looney wrote: 

>  The main problem with nss_ldap isn't the round-trip time. It doesn't seem
> to cache information. This isn't a big deal with authentication...but if
> you go into a directory that's owned by a user whose UIDs are stored on the
> LDAP server, and do an 'ls -l' on a hundred or so files, it can take a
> minute or two complete. NIS is two orders of magnitude faster because of
> this. 

  You might want to use a Nameservice Cache Daemon (look for a nscd package
in your distribution). I.e. on our system, after restarting nscd, running
ls -l twice on /home with ~500 directories owned by different people
gives the following result:

% time ls -l /home/LYSEO > /dev/null
ls -l /home/LYSEO > /dev/null  0.01s user 0.02s system 0% cpu 8.189 total
% time ls -l /home/LYSEO > /dev/null
ls -l /home/LYSEO > /dev/null  0.03s user 0.06s system 53% cpu 0.167 total
% ls /home/LYSEO | wc -l
    494

  Caching has it's problems, of course. nscd also seems to slow down the
first NSS lookups for an user, i.e. without nscd the above ls -l takes ~5
seconds.

> That said, I've now worked out how to get OpenLDAP to index based on
> UIDnumbers, so it is a little faster now.

  Making indexes of other attributes might be a good idea too. This will
only slow down modifications (and of course eat up disk space/memory)
AFAIK.

-- 
P.A. Knuutila <zur@edu.lahti.fi> 363C ACE2 0A4F DE7E B67A 0223 C53B 932B