lists.arthurdejong.org
RSS feed

Re: Slow logins

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Slow logins



On Thu, 2013-12-19 at 18:20 +0000, Daniel Givens wrote:
> The filters were added in an attempt to speed things up. No difference
> with them gone. By the way, the LDAP server is Novell eDirectory.

On login a lot of lookups are done. One of the things that can result in
a lot of searches is group lookups. On login a request is made to find
the groups of a users. In this case nslcd will do an optimisation and
not lookup the group members but for each group a user belongs to, the
complete information is looked up again.

If you are using the member of uniqueMember attribute this will trigger
a lookup for each member value to turn it into a username (nslcd will
again optimise here if the uid attribute is present in the DN).

Some ways around this:
- use the memberUid attribute in your LDAP server
- map group member none (or uniqueMember depending on your
  nslcd version) (but this will probably no longer show all
  users in the group)
- use filters (or base option) to limit users that are matched
- use nscd (or unscd) to cache some information (this mostly
  helps subsequent logins)
- use a faster LDAP server (perhaps caching proxy) (I have a
  test network with 2000 users that works fine)

Another thing that may help is to increase DN2UID_CACHE_TIMEOUT in
nslcd/passwd.c and recompile to keep cached DN to uid lookups longer in
the nslcd cache. This again will not help the first login.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/