RSS feed

Re: Group lookups (groupOfNames)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Group lookups (groupOfNames)

0On Fri, 2011-05-20 at 14:04 +1000, Tim wrote:
> I will have to think about our database layout a bit more now, as it
> appears that a lookup using out format will probably do more LDAP
> queries than the uid=username format.

Using memberUid is fastest with nss-pam-ldapd (and nss_ldap I guess).

> 1 for the group, then 1 for each dn in the group to get the uid attr.
> Not sure if currently nslcd will be able to skip that 2nd lookup using
> the uid=username format given that it has the dn and can just read the
> uid from the dn?

If you're using member or uniqueMember, nss-pam-ldapd first tries to get
the uid attribute from the DN and falls back to doing a search for each
group member (which can be slow). Note that nss-pam-ldapd does cache
these DN to uid lookups for 15 minutes to ensure that it works
reasonably when you have a large number of groups that have a lot of
members. It's also reasonably safe to cache this because a DN isn't
about to change it's uid very often.

> I guess when it's all running well, nscd will cache so should I worry
> about the extra lookup?

nscd should cache a lot of information but it doesn't cache everything.
It doesn't cache the "get all groups" or "get all users" results. I also
think that not all versions cache the "get me all groups this user
belongs to" results.

Also, a lot of users have stability problems with nscd. I personally
only had issues a long time ago though and for most systems I've
switched to unscd which seems to be better (at least less people
complain about it ;) ).

-- arthur - - --
To unsubscribe send an email to or see