[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap slow

Thanks for the tips, but I've tried them all and continue to have
performance problems.

Is it possible to change the filter that the group "lookup" uses?
As i said on my previous post the default filter that is being run for
group lookup is:
conn=0 op=2 SRCH base="dc=musc,dc=edu" scope=sub

I've run this filter using ldapsearch and it's slow:
ldapsearch -H ldap://itlab.musc.edu -s sub -b "dc=musc,dc=edu" 

but if i change the filter to this:
ldapsearch -H ldap://itlab.musc.edu -s sub -b "dc=musc,dc=edu"

I get the same results, only very fast.

Does my problem lie with the "uniqueMember" attribute?  I do not have
that attrib. in my ldap.

Group entries look like this:
dn: cn=itlab,ou=groups,dc=musc,dc=edu
objectClass: posixGroup
objectClass: top
cn: itlab
userPassword: {crypt}*
gidNumber: 1389
memberUid: binzafar
memberUid: jonesje
memberUid: sprovero
memberUid: starmerf
memberUid: starmerj 

Thanks again.

On Thu, May 10, 2001 at 04:02:21AM +0100, Paul Jakma wrote:
> On Wed, 9 May 2001, Matthew Gregg wrote:
> > Running slapd in debug mode, this filter appears to be run for group validation/membership:
> > conn=0 op=2 SRCH base="dc=musc,dc=edu" scope=2
> > filter="(&(objectClass=posixGroup)(|(memberUid=root)
> > (uniqueMember=uid=testuser,ou=People,dc=musc,dc=edu)))"
> Hi Matthew,
> on the client run nscd and configure it with reasonable positive
> cache times.  And on the server add an 'equal' index for
> attribute memberUid.
> regards,

brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars