[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PAM/LDAP performance problem

Stefan Brohs <sbrohs@iprimus0800.net> writes:

> - why is PAM reading all group entries at all (and more than once)?

This seems to be initgroups(3).  PAM needs to put the user in all the
groups she is a member of.  Without special help, this requires
traversing the group list.  Some platforms have special, in some cases
very recent, support for this.  IIRC, the original nss specification
had no way to do this operation efficiently so applications had to
resort to complete traversal.  And this is something you cannot solve
at the LDAP level, it has to do with your NSS service implementation
(say, glibc in Linux) and NSS LDAP implementation.

I have heard that recent versions of glibc and nss_ldap will be able
to enumerate efficiently the list of groups a user is member of,
provided the idices are there, of course.

But as long as it is trying to list all groups, you can do nothing at
the LDAP side.  I suggest you investigate this topic at the nss-ldap
and pam-ldap lists at PADL.

If you have no other recourse, you may investigate removing posix
groups from your directory so that that operation is quick and even
removing 'ldap' from the groups line in /etc/nsswitch.conf.  Sometimes
you can do with groups defined in just /etc/group.