[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Optimizing OpenLDAP pam authentication (it's very slow)

Thus spake Matthew Gregg:
> But I no longer have memberUid in my LDAP. Should I index a
> nonexistent object?
> As my email stated, the PADL migrations scripts create ldif's that use
> the memberUid schema, but after some advice from this group I changed
> the migrations script to produce grouOfUniqueNames/uniqueMember
> schema.
> At the point that I was in fact using memberUid's I did have it
> indexed and had the exact same performance problem.

Did you have it indexed for presence or equality?  You have uniqueMember
indexed here for presence, which I don't think is enough--you need it
indexed for equality too.

> Does anyone know the correct "configuration" for nsswitch/pam
> authentication? Is it "memberUid" or "grouOfUniqueNames/uniqueMember"
> or neither?

RFC 2307 only defines memberUid, ont uniqueMember.

W. Reilly Cooley                           wcooley@nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
LNXS: Get 0.2.0-devel at http://sourceforge.net/projects/lnxs/
irc.openprojects.net                                     #lnxs

It is now quite lawful for a Catholic woman to avoid pregnancy by a resort to
mathematics, though she is still forbidden to resort to physics and chemistry.
		-- H.L. Mencken

Attachment: pgpcPVPAxvmtA.pgp
Description: PGP signature