lists.arthurdejong.org
RSS feed

Re: How to avoid unnecessary LDAP operations?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: How to avoid unnecessary LDAP operations?



Hello,

thanks for your detailed answers!

On 03/26/2014 11:19 PM, Arthur de Jong wrote:

....
- Is there a way to modify the configurations of nslcd or PAM
    that would avoid these unnecessary operations?

I don't think there is much that can be done configuration-wise at the
moment.

- The last point (5) is more like a feature request: It would be nice
    if one could configure if password checks are done in a permanent
    connection or not.

Patches welcome ;)

Infortunately I don't have the opportunity to contribute.

If the LDAP server is a performance bottleneck in your environment, you
could run an LDAP proxy on your machine or even use the nssov overlay
inside the slapd proxy. The overlay also uses the PAM (and NSS) module
of nss-pam-ldapd and provide an alternative for nslcd.
...

Thanks for the suggestion.  So far we don't have a performance problem
with one installation on a cluster (although logins come from many
nodes in bursts).  As a central LDAP server manager, I am always
checking the
behaviour of new LDAP clients and since it was the first time I had a
look at nslcd LDAP operations I shared on this list what seemed to me
odd or unnecessary thinking it might be configuration dependant.

In my opinion, removing the shadow attributes request and reusing
connections for password checking BINDs (too many implementors don't
care about the overhead of opening a SSL connection) would be useful
improvements.

Thanks again and best regards!

--
Mr Dominique Petitpierre, user=Dominique.Petitpierre domain=unige.ch
IT Division, University of Geneva, Switzerland
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/