[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap for unix auth

On Tue, 19 Oct 1999, Seth Vidal wrote:

> is anyone currently using openldap for an NIS replacement?


Duke should be able to afford the LDAP-NIS gateway piece, and you'll need it
in a heterogeneous environment. We don't because we're all IRIX 6.5 or

> If so do you have any references that you used and can you tell me about
> any speed comparison's/tweaks you may have done to the system?

I'm using nss_ldap and pam_ldap in beta, production "soon." I crippled
get??ent() by changing the search filter to (uid=nobody) because
(objectclass=posixaccount) takes too long and I never much liked user
enumeration anyway. Look at filt_getpwent[] in ldap-pwd.h and analogs for
grent, ect. I recompiled finger to default to finger -m, but no other
program I intend to support seems bothered by the hackage.

As long as you aren't walking the whole LDAP space with getpwent(),
performance seems fine. ls -l in a 3000-item /var/spool/mail is actually
faster with nss_ldap than it is with a flat password file, but slower than
with dbm passwords. The usual LDAP tuning parameters apply. If you're
changing LDAP frequently (we're not) I like the UMich suggestion of having
the master and most slaves skip sync-writes.

I'm working (occasionally) on one show-stopper: using the current or
previous versions of nss_ldap under Linux 2.0.36 or 2.2.12, patched RedHat
5.2 or 6.1, the ssh 1.2.26 or 1.2.27 _client_ crashes with sig11 the second
time it does a getpwuid() in tildexpand.c iff ssh is setuid-root and the
user's primary group exists only in LDAP-land. This is necessary for
eliminating user enumeration features while still allowing RSA host
authentication to work. A 10-line C program that does the same system calls
succeeds. This makes me uncomfortable.

Is there an active nss_ldap/pam_ldap mailing list? I thought there used to
be, but I couldn't find it when I was working on this a couple weeks ago.
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator