[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap for unix auth

To: Seth Vidal <skvidal@phy.duke.edu>
Subject: Re: ldap for unix auth
From: Rich Graves <rcgraves@brandeis.edu>
Date: Tue, 19 Oct 1999 18:10:48 -0400 (EDT)
Cc: Openldap-Software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.10.9910191727310.18355-100000@roma.phy.duke.edu>

On Tue, 19 Oct 1999, Seth Vidal wrote:

> is anyone currently using openldap for an NIS replacement?

http://www.padl.com/

Duke should be able to afford the LDAP-NIS gateway piece, and you'll need it
in a heterogeneous environment. We don't because we're all IRIX 6.5 or
Linux.

> If so do you have any references that you used and can you tell me about
> any speed comparison's/tweaks you may have done to the system?

I'm using nss_ldap and pam_ldap in beta, production "soon." I crippled
get??ent() by changing the search filter to (uid=nobody) because
(objectclass=posixaccount) takes too long and I never much liked user
enumeration anyway. Look at filt_getpwent[] in ldap-pwd.h and analogs for
grent, ect. I recompiled finger to default to finger -m, but no other
program I intend to support seems bothered by the hackage.

As long as you aren't walking the whole LDAP space with getpwent(),
performance seems fine. ls -l in a 3000-item /var/spool/mail is actually
faster with nss_ldap than it is with a flat password file, but slower than
with dbm passwords. The usual LDAP tuning parameters apply. If you're
changing LDAP frequently (we're not) I like the UMich suggestion of having
the master and most slaves skip sync-writes.

I'm working (occasionally) on one show-stopper: using the current or
previous versions of nss_ldap under Linux 2.0.36 or 2.2.12, patched RedHat
5.2 or 6.1, the ssh 1.2.26 or 1.2.27 _client_ crashes with sig11 the second
time it does a getpwuid() in tildexpand.c iff ssh is setuid-root and the
user's primary group exists only in LDAP-land. This is necessary for
eliminating user enumeration features while still allowing RSA host
authentication to work. A 10-line C program that does the same system calls
succeeds. This makes me uncomfortable.

Is there an active nss_ldap/pam_ldap mailing list? I thought there used to
be, but I couldn't find it when I was working on this a couple weeks ago.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator

References:
- ldap for unix auth
  - From: Seth Vidal <skvidal@phy.duke.edu>

Prev by Date: ldap for unix auth
Next by Date: RE: ldap for unix auth
Index(es):
- Chronological
- Thread