Re: Slow logins
[
Date Prev][Date Next]
[
Thread Prev][Thread Next]
Re: Slow logins
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Slow logins
- Date: Thu, 19 Dec 2013 21:39:34 +0100
On Thu, 2013-12-19 at 18:20 +0000, Daniel Givens wrote:
> The filters were added in an attempt to speed things up. No difference
> with them gone. By the way, the LDAP server is Novell eDirectory.
On login a lot of lookups are done. One of the things that can result in
a lot of searches is group lookups. On login a request is made to find
the groups of a users. In this case nslcd will do an optimisation and
not lookup the group members but for each group a user belongs to, the
complete information is looked up again.
If you are using the member of uniqueMember attribute this will trigger
a lookup for each member value to turn it into a username (nslcd will
again optimise here if the uid attribute is present in the DN).
Some ways around this:
- use the memberUid attribute in your LDAP server
- map group member none (or uniqueMember depending on your
nslcd version) (but this will probably no longer show all
users in the group)
- use filters (or base option) to limit users that are matched
- use nscd (or unscd) to cache some information (this mostly
helps subsequent logins)
- use a faster LDAP server (perhaps caching proxy) (I have a
test network with 2000 users that works fine)
Another thing that may help is to increase DN2UID_CACHE_TIMEOUT in
nslcd/passwd.c and recompile to keep cached DN to uid lookups longer in
the nslcd cache. This again will not help the first login.
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
