RSS feed

Re: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Using nss-pam-ldapd in a large environment: Equivalent to 'nss_getgrent_skipmembers yes' to avoid unnecessary lookup flood

On Sat, 2015-04-18 at 12:17 +0200, Thomas Orgis wrote:
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> nslcd: [7b23c6] <passwd="xxxxxxxxx"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> Doesn't look like deref is used.

Sadly more than one thing is called deref in OpenLDAP. LDAP_OPT_DEREF
refers to the deref option in nslcd.conf and ldap.conf which handles
following of referrals by the client library while searching.

> Would this skip the separate request for each group member and instead
> return all group information in one lump? 

The deref control is supported by the deref overlay in slapd and it
allows returning user information with group lookups that are referenced
in the member attribute so it would return the information you describe.
This control is requested by nslcd (0.9.3 and later) transparently with
searches. I haven't done much in performance analysis of that though.

> Now the time to id the user in a handful of groups with a truckload of
> members is only 42 ms, with 14 LDAP searches (calls to
> myldap_search()). That seems acceptable, probably a tiny bit quicker
> when querying an LDAP cache closer to the client.

Usually (u)nscd helps improve local performance but it can be a bit
picky about the environment you want (forward and reverse lookups not
returning the same information).

> This is the same with a hacked 0.8.13, which we are more likely to use
> to avoid too much straying from the base distribution for that core
> component.

If you stick with 0.8.13 you should only have to replace nslcd and not
the NSS and PAM modules (0.9 nslcd will not work with 0.8 NSS module and
vice versa). If you're not using the distribution sources I would
recommend the latest 0.8 release though. There are only very minor
feature improvements and a number of small fixes.

> Would that be even less requests if our server offered deref?

I don't think the deref control/overlay will give you better performance
that not requesting the attribute altogether.

> Anyhow, May I suggest to consider including this hack, along with a
> configuration setting that's off by default, in a future version of
> nslcd?

The nss_getgrent_skipmembers option will be in the next 0.9 release.


-- arthur - - --
To unsubscribe send an email to or see