Re: [nssldap] lookup delay using nss_ldap with Active Directory

[Prentice Bisbal <prentice [at] ias.edu>]

Jonathan Nilsson wrote:
> Okay, I'm back after the weekend and I will keep attacking this problem
> now.
> 
>>> You should definitly give nscd a try. Caching is essential. It makes
>>> a big
>>> difference.
>>
>> I disagree. Caching is only necessary when your server can't keep up
>> with the workload, which will happen in large environments, or with slow
>> servers.
> 
> I too have heard of all the problems that nscd can cause, so I have
> avoided it myself.  I do not think that our environment is too large for
> our servers to handle the load.  We have about 800 user object (many are
> old and disabled) and 150 groups, organized into about a dozen OU
> containers. Our 3 DC's are mostly sitting idle with about 30-40% free
> memory.  There is no noticeable spike in usage when I do the lookups (at
> least none that I can see using Task Manager).
> 
>> Now for a disclaimer: I do run nscd myself, because it's a good
>> practice. However, when otherwise healthy systems lock up because of one
>>   basic daemon, or failover to another server doesn't work as advertised,
>> it can be very frustrating. Where I work, we are considering turning of
>> nscd on all of our systems due to a recent series of problems that were
>> all traced back to nscd.
> 
> This is interesting, I may at some point give nscd a try in a test
> environment, or as a last resort here if I am unable to improve
> performance.

My problems with nscd have been pretty rare, but when they do occur,
they've been very severe.

> 
>>>> Is it possible that it is an indexing issue with Active Directory? Have
>>>> other people had to make modifications to the Active Directory
>>>> Schema to
>>>> index additional attributes, such as "uid", "member" or "objectclass"?
>>>
>>> An index on uid, member, uidNumber, gidNumber would help.
> 
> I will index these and see if that changes anything.
> 
> Thanks,

-- 
Prentice