[Date Prev][Date Next]
Re: Optimizing OpenLDAP pam authentication (it's very slow)
I REALLY appreciate all the help you guys are giving and I hope to
find a fix.
I had long ago tried this.
Currently it looks like:
The rest are commented.
Logins are slow.
If I change nss_base_group to "ou=Groups,dc=musc,dc=edu?base"
Logins are fast except, when I run "groups" to see what groups I
belong to, it only returns my "numeric" group not it's name nor the
other 6 groups I belong to.
On Thu, May 31, 2001 at 04:26:34PM -0400, Rechenberg, Andrew wrote:
> Actually the "nss_base_passwd" and "nss_base_group" configuration options
> tell pam_ldap and nss_ldap where to look for the appropriate objects. There
> are other configuration options that you "AND" with the search filter, but
> the "nss_base_*" options just tell the modules where to look to apply that
> If you tell the modules where to look for the appropriate object, it should
> speed up logins noticeably. If all of your objects lie in
> ou=something,ou=people,dc=my,dc=com then use
> nss_base_passwd ou=something,ou=people,dc=my,dc=com?one
> in your /etc/ldap.conf file.
> You're telling it EXACTLY where to look instead of doing a subtree search
> like dc=my,dc=com?sub
> I only wish there were a way to have multiple RFC2307bis naming contexts in
> that file, because in my situation, users are all over the tree and if they
> are in a container at the bottom of the tree alphabetically, then it takes
> longer to do auth's and such. Active Directory doesn't support object
> aliasing so I can't do that either :\
> Oh well, try the nss_base_* config option; it should help speed things up.
> Hope this helps.
> Andrew Rechenberg
> Network Team, Sherman Financial Group
> Phone: 513.677.7809
> Fax: 513.677.7838
> From: Matthew Gregg [mailto:email@example.com]
> Sent: Thursday, May 31, 2001 11:43 AM
> To: GOMBAS Gabor
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Optimizing OpenLDAP pam authentication (it's very slow)
> I've seen that and tried that. What that does is "and" your filter
> with the default filter. How to change/override the default filter would be
> the trick. Right?
> On Thu, May 31, 2001 at 05:24:41PM +0200, GOMBAS Gabor wrote:
> > On Thu, May 31, 2001 at 11:12:38AM -0400, Matthew Gregg wrote:
> > > Also, the filter that is being run is coming from nsswitch/pam_ldap.
> > > It's not something that I can configure, without some code changes.
> > Yes you can. Look at the sample ldap.conf in the nss_ldap distribution
> > (the nss_base_* parameters).
> > Gabor
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars