Re: memberUid mappings in AD
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: memberUid mappings in AD
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: memberUid mappings in AD
- Date: Sun, 29 Apr 2012 22:34:25 +0200
On Sun, 2012-04-29 at 18:21 +0200, steve wrote:
> Problem: with 0.8.4 there are _hundreds_ of calls to ldap compared to
> 2 or 3 at the most with the same call (e.g. a user logging in) on
> 0.7.13
[...]
> The only way we can stop it is with nscd. Are we supposed to be
> running with nscd?
There should not be any major differences in the number of searches
performed between those two versions (assuming 0.7.13 has the
uniqueMember mapping enabled). nscd will make a big difference here and
it is recommended for most larger networks (turn off nscd if you're
debugging though). nscd has had major issues in the past and unscd is a
re-implementation that should be more stable.
There is also a difference between a nslcd that has just been started
and one that has processed some requests already, especially if you use
the member attribute. An LDAP lookup is needed to translate the DN from
the member attribute into a uid value. Sadly LDAP doesn't have the
equivalent of a JOIN so this means a lot of lookups. nslcd caches the
results of such lookups for 15 minutes which could also explain the
differences.
If the above doesn't explain the differences I would like to see nslcd
-d output of both systems while processing a similar request.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: memberUid mappings in AD, (continued)